Mercurial > hg > nginx
annotate src/os/unix/ngx_user.c @ 5356:acd51b0f6fd4
Disable symlinks: use O_PATH to open path components.
It was introduced in Linux 2.6.39, glibc 2.14 and allows to obtain
file descriptors without actually opening files. Thus made it possible
to traverse path with openat() syscalls without the need to have read
permissions for path components. It is effectively emulates O_SEARCH
which is missing on Linux.
O_PATH is used in combination with O_RDONLY. The last one is ignored
if O_PATH is used, but it allows nginx to not fail when it was built on
modern system (i.e. glibc 2.14+) and run with a kernel older than 2.6.39.
Then O_PATH is unknown to the kernel and ignored, while O_RDONLY is used.
Sadly, fstat() is not working with O_PATH descriptors till Linux 3.6.
As a workaround we fallback to fstatat() with the AT_EMPTY_PATH flag
that was introduced at the same time as O_PATH.
author | Valentin Bartenev <vbart@nginx.com> |
---|---|
date | Mon, 02 Sep 2013 08:07:59 +0400 |
parents | 6ccd3a50b40f |
children | fd6fd02f6a4d |
rev | line source |
---|---|
503 | 1 |
2 /* | |
3 * Copyright (C) Igor Sysoev | |
4412 | 4 * Copyright (C) Nginx, Inc. |
503 | 5 */ |
6 | |
7 | |
8 #include <ngx_config.h> | |
9 #include <ngx_core.h> | |
10 | |
11 | |
12 /* | |
13 * Solaris has thread-safe crypt() | |
14 * Linux has crypt_r(); "struct crypt_data" is more than 128K | |
15 * FreeBSD needs the mutex to protect crypt() | |
16 * | |
17 * TODO: | |
18 * ngx_crypt_init() to init mutex | |
19 */ | |
20 | |
21 | |
22 #if (NGX_CRYPT) | |
23 | |
527 | 24 #if (NGX_HAVE_GNU_CRYPT_R) |
503 | 25 |
26 ngx_int_t | |
3922
9c057d5e1c27
"$apr1", "{PLAIN}", and "{SSHA}" password methods in auth basic module
Igor Sysoev <igor@sysoev.ru>
parents:
3796
diff
changeset
|
27 ngx_libc_crypt(ngx_pool_t *pool, u_char *key, u_char *salt, u_char **encrypted) |
503 | 28 { |
29 char *value; | |
30 size_t len; | |
31 struct crypt_data cd; | |
32 | |
509 | 33 cd.initialized = 0; |
529 | 34 /* work around the glibc bug */ |
35 cd.current_salt[0] = ~salt[0]; | |
509 | 36 |
503 | 37 value = crypt_r((char *) key, (char *) salt, &cd); |
38 | |
4982
6ccd3a50b40f
Core: crypt_r() error handling fixed.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4499
diff
changeset
|
39 if (value) { |
3796
7dec2852e8fd
allocate last zero byte in ngx_crypt()
Igor Sysoev <igor@sysoev.ru>
parents:
2049
diff
changeset
|
40 len = ngx_strlen(value) + 1; |
503 | 41 |
2049 | 42 *encrypted = ngx_pnalloc(pool, len); |
4982
6ccd3a50b40f
Core: crypt_r() error handling fixed.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4499
diff
changeset
|
43 if (*encrypted == NULL) { |
6ccd3a50b40f
Core: crypt_r() error handling fixed.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4499
diff
changeset
|
44 return NGX_ERROR; |
503 | 45 } |
4982
6ccd3a50b40f
Core: crypt_r() error handling fixed.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4499
diff
changeset
|
46 |
6ccd3a50b40f
Core: crypt_r() error handling fixed.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4499
diff
changeset
|
47 ngx_memcpy(*encrypted, value, len); |
6ccd3a50b40f
Core: crypt_r() error handling fixed.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4499
diff
changeset
|
48 return NGX_OK; |
503 | 49 } |
50 | |
4982
6ccd3a50b40f
Core: crypt_r() error handling fixed.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4499
diff
changeset
|
51 ngx_log_error(NGX_LOG_CRIT, pool->log, ngx_errno, "crypt_r() failed"); |
509 | 52 |
503 | 53 return NGX_ERROR; |
54 } | |
55 | |
56 #else | |
57 | |
58 ngx_int_t | |
3922
9c057d5e1c27
"$apr1", "{PLAIN}", and "{SSHA}" password methods in auth basic module
Igor Sysoev <igor@sysoev.ru>
parents:
3796
diff
changeset
|
59 ngx_libc_crypt(ngx_pool_t *pool, u_char *key, u_char *salt, u_char **encrypted) |
503 | 60 { |
61 char *value; | |
62 size_t len; | |
509 | 63 ngx_err_t err; |
503 | 64 |
65 #if (NGX_THREADS && NGX_NONREENTRANT_CRYPT) | |
66 | |
4499
778ef9c3fd2d
Fixed spelling in single-line comments.
Ruslan Ermilov <ru@nginx.com>
parents:
4412
diff
changeset
|
67 /* crypt() is a time consuming function, so we only try to lock */ |
503 | 68 |
69 if (ngx_mutex_trylock(ngx_crypt_mutex) != NGX_OK) { | |
70 return NGX_AGAIN; | |
71 } | |
72 | |
73 #endif | |
74 | |
75 value = crypt((char *) key, (char *) salt); | |
76 | |
77 if (value) { | |
3796
7dec2852e8fd
allocate last zero byte in ngx_crypt()
Igor Sysoev <igor@sysoev.ru>
parents:
2049
diff
changeset
|
78 len = ngx_strlen(value) + 1; |
503 | 79 |
2049 | 80 *encrypted = ngx_pnalloc(pool, len); |
4982
6ccd3a50b40f
Core: crypt_r() error handling fixed.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4499
diff
changeset
|
81 if (*encrypted == NULL) { |
6ccd3a50b40f
Core: crypt_r() error handling fixed.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4499
diff
changeset
|
82 #if (NGX_THREADS && NGX_NONREENTRANT_CRYPT) |
6ccd3a50b40f
Core: crypt_r() error handling fixed.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4499
diff
changeset
|
83 ngx_mutex_unlock(ngx_crypt_mutex); |
6ccd3a50b40f
Core: crypt_r() error handling fixed.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4499
diff
changeset
|
84 #endif |
6ccd3a50b40f
Core: crypt_r() error handling fixed.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4499
diff
changeset
|
85 return NGX_ERROR; |
503 | 86 } |
509 | 87 |
4982
6ccd3a50b40f
Core: crypt_r() error handling fixed.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4499
diff
changeset
|
88 ngx_memcpy(*encrypted, value, len); |
509 | 89 #if (NGX_THREADS && NGX_NONREENTRANT_CRYPT) |
90 ngx_mutex_unlock(ngx_crypt_mutex); | |
91 #endif | |
92 return NGX_OK; | |
503 | 93 } |
94 | |
509 | 95 err = ngx_errno; |
96 | |
503 | 97 #if (NGX_THREADS && NGX_NONREENTRANT_CRYPT) |
98 ngx_mutex_unlock(ngx_crypt_mutex); | |
99 #endif | |
100 | |
509 | 101 ngx_log_error(NGX_LOG_CRIT, pool->log, err, "crypt() failed"); |
102 | |
103 return NGX_ERROR; | |
503 | 104 } |
105 | |
106 #endif | |
107 | |
108 #endif /* NGX_CRYPT */ |