Skip to content

check for duplicate ACL entries when applying listen.acl_* #18362

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
+65 −2
Open

check for duplicate ACL entries when applying listen.acl_* #18362

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
67 changes: 65 additions & 2 deletions sapi/fpm/fpm/fpm_unix.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -290,7 +290,10 @@ int fpm_unix_set_socket_permissions(struct fpm_worker_pool_s *wp, const char *pa
if (wp->socket_acl) {
acl_t aclfile, aclconf;
acl_entry_t entryfile, entryconf;
int i;
int ifile, iconf;
acl_tag_t tagfile, tagconf;
uid_t *uidfile, *uidconf;
gid_t *gidfile, *gidconf;

/* Read the socket ACL */
aclconf = wp->socket_acl;
Expand All @@ -300,7 +303,67 @@ int fpm_unix_set_socket_permissions(struct fpm_worker_pool_s *wp, const char *pa
return -1;
}
/* Copy the new ACL entry from config */
for (i=ACL_FIRST_ENTRY ; acl_get_entry(aclconf, i, &entryconf) ; i=ACL_NEXT_ENTRY) {
for (iconf=ACL_FIRST_ENTRY ; acl_get_entry(aclconf, iconf, &entryconf) ; iconf=ACL_NEXT_ENTRY) {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

NIT: might be good to fix the CS when you are in it:

Suggested change
for (iconf=ACL_FIRST_ENTRY ; acl_get_entry(aclconf, iconf, &entryconf) ; iconf=ACL_NEXT_ENTRY) {
for (iconf = ACL_FIRST_ENTRY; acl_get_entry(aclconf, iconf, &entryconf); iconf = ACL_NEXT_ENTRY) {

if (0 > acl_get_tag_type(entryconf, &tagconf)) {
zlog(ZLOG_SYSERROR, "[pool %s] failed to get tag of the ACL entry of the pool", wp->config->name);
acl_free(aclfile);
return -1;
}
if (tagconf == ACL_USER) {
uidconf = acl_get_qualifier(entryfile);
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The entryfile is not initialized so I assume you wanted to use entryconf here, right?

if (!uidconf) {
zlog(ZLOG_SYSERROR, "[pool %s] failed to get user qualifier of the ACL entry of the pool", wp->config->name);
acl_free(aclfile);
return -1;
}
} else {
gidconf = acl_get_qualifier(entryfile);
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ditto

if (!gidconf) {
zlog(ZLOG_SYSERROR, "[pool %s] failed to get group qualifier of the ACL entry of the pool", wp->config->name);
acl_free(aclfile);
return -1;
}
}
for (ifile=ACL_FIRST_ENTRY ; acl_get_entry(aclfile, ifile, &entryfile) ; ifile=ACL_NEXT_ENTRY) {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

NIT: another CS style fix

Suggested change
for (ifile=ACL_FIRST_ENTRY ; acl_get_entry(aclfile, ifile, &entryfile) ; ifile=ACL_NEXT_ENTRY) {
for (ifile = ACL_FIRST_ENTRY; acl_get_entry(aclfile, ifile, &entryfile); ifile = ACL_NEXT_ENTRY) {

if (0 > acl_get_tag_type(entryfile, &tagfile)) {
zlog(ZLOG_SYSERROR, "[pool %s] failed to get tag of the ACL entry of the socket '%s'", wp->config->name, path);
acl_free(tagconf == ACL_USER ? uidconf : gidconf);
acl_free(aclfile);
return -1;
}
if (tagfile != ACL_USER && tagfile != ACL_GROUP)
continue;
if (tagfile != tagconf)
continue;
if (tagfile == ACL_USER) {
uidfile = acl_get_qualifier(entryfile);
if (!uidfile) {
zlog(ZLOG_SYSERROR, "[pool %s] failed to get user qualifier of the ACL entry of the socket '%s'", wp->config->name, path);
acl_free(uidconf);
acl_free(aclfile);
return -1;
}
if (*uidfile != *uidconf) {
acl_free(uidfile);
continue;
}
} else {
gidfile = acl_get_qualifier(entryfile);
if (!gidfile) {
zlog(ZLOG_SYSERROR, "[pool %s] failed to get group qualifier of the ACL entry of the socket '%s'", wp->config->name, path);
acl_free(gidconf);
acl_free(aclfile);
return -1;
}
if (*gidfile != *gidconf) {
acl_free(gidfile);
continue;
}
}
acl_free(tagfile == ACL_USER ? uidfile : gidfile);
acl_delete_entry(aclfile, entryfile);
}
acl_free(tagconf == ACL_USER ? uidconf : gidconf);
if (0 > acl_create_entry (&aclfile, &entryfile) ||
0 > acl_copy_entry(entryfile, entryconf)) {
zlog(ZLOG_SYSERROR, "[pool %s] failed to add entry to the ACL of the socket '%s'", wp->config->name, path);
Expand Down
Loading