martin 98/05/04 09:46:43
Modified: htdocs/manual/mod directives.html core.html
src/main http_main.c http_core.c
Log:
BS2000 Security: BS2000 needs extra authentication
Revision Changes Path
1.44 +1 -0 apache-1.3/htdocs/manual/mod/directives.html
Index: directives.html
===================================================================
RCS file: /home/cvs/apache-1.3/htdocs/manual/mod/directives.html,v
retrieving revision 1.43
retrieving revision 1.44
diff -u -u -r1.43 -r1.44
--- directives.html 1998/04/03 16:07:15 1.43
+++ directives.html 1998/05/04 16:46:38 1.44
@@ -67,6 +67,7 @@
<LI><A HREF="core.html#bindaddress">BindAddress</A>
<LI><A HREF="mod_setenvif.html#BrowserMatch">BrowserMatch</A>
<LI><A HREF="mod_setenvif.html#BrowserMatchNoCase">BrowserMatchNoCase</A>
+<LI><A HREF="core.html#bs2000authfile">BS2000AuthFile</A>
<LI><A HREF="mod_proxy.html#cachedefaultexpire">CacheDefaultExpire</A>
<LI><A HREF="mod_proxy.html#cachedirlength">CacheDirLength</A>
<LI><A HREF="mod_proxy.html#cachedirlevels">CacheDirLevels</A>
1.110 +38 -0 apache-1.3/htdocs/manual/mod/core.html
Index: core.html
===================================================================
RCS file: /home/cvs/apache-1.3/htdocs/manual/mod/core.html,v
retrieving revision 1.109
retrieving revision 1.110
diff -u -u -r1.109 -r1.110
--- core.html 1998/04/29 06:32:11 1.109
+++ core.html 1998/05/04 16:46:38 1.110
@@ -28,6 +28,7 @@
<LI><A HREF="#authname">AuthName</A>
<LI><A HREF="#authtype">AuthType</A>
<LI><A HREF="#bindaddress">BindAddress</A>
+<LI><A HREF="#bs2000authfile">BS2000AuthFile</A>
<LI><A HREF="#clearmodulelist">ClearModuleList</A>
<LI><A HREF="#contentdigest">ContentDigest</A>
<LI><A HREF="#coredumpdirectory">CoreDumpDirectory</A>
@@ -351,6 +352,43 @@
<A HREF="../dns-caveats.html">DNS Issues</A><BR>
<STRONG>See Also:</STRONG>
<A HREF="../bind.html">Setting which addresses and ports Apache uses</A></P>
+
+<HR>
+
+<H2><A name="bs2000authfile">BS2000AuthFile directive</A></H2>
+<!--%plaintext <?INDEX {\tt BS2000AuthFile} directive> -->
+<A
+ HREF="directive-dict.html#Syntax"
+ REL="Help"
+><STRONG>Syntax:</STRONG></A> BS2000AuthFile <EM>authfile</EM><BR>
+<A
+ HREF="directive-dict.html#Default"
+ REL="Help"
+><STRONG>Default:</STRONG></A> <EM>none</EM><BR>
+<A
+ HREF="directive-dict.html#Context"
+ REL="Help"
+><STRONG>Context:</STRONG></A> server config<BR>
+<A
+ HREF="directive-dict.html#Status"
+ REL="Help"
+><STRONG>Status:</STRONG></A> core<BR>
+<STRONG>Compatibility:</STRONG></A> BS2000AuthFile is only available for BS2000 machines, as of Apache 1.3 and later.<P>
+
+The <CODE>BS2000AuthFile</CODE> directive is available for BS2000 hosts
+only. It must be used to define the password file which is used to
+change the BS2000 task environment of the server to the non-privileged
+account specified by the <A HREF="#user">User</A> directive. This is
+required in the BS2000 POSIX subsystem (by performing a sub-LOGON) to
+prevent CGI scripts from accessing resources of the privileged account
+which started the server, usually <SAMP>TSOS</SAMP>.<BR>
+Note that the specified <EM>authfile</EM> must be owned by the super
+user and must not be readable or writable by anyone else, otherwise
+Apache will refuse to start and exit with an error message.<BR>
+Only one <CODE>BS2000AuthFile</CODE> directive can be used. <P>
+
+<P><STRONG>See Also:</STRONG>
+<A HREF="../ebcdic.html">Apache EBCDIC port</A></P>
<HR>
1.330 +5 -1 apache-1.3/src/main/http_main.c
Index: http_main.c
===================================================================
RCS file: /home/cvs/apache-1.3/src/main/http_main.c,v
retrieving revision 1.329
retrieving revision 1.330
diff -u -u -r1.329 -r1.330
--- http_main.c 1998/05/03 17:17:00 1.329
+++ http_main.c 1998/05/04 16:46:40 1.330
@@ -3147,7 +3147,11 @@
}
#else
/* Only try to switch if we're running as root */
- if (!geteuid() && setuid(ap_user_id) == -1) {
+ if (!geteuid() && (
+#ifdef _OSD_POSIX
+ os_init_job_environment(server_conf, ap_user_name) != 0 ||
+#endif
+ setuid(ap_user_id) == -1)) {
ap_log_error(APLOG_MARK, APLOG_ALERT, server_conf,
"setuid: unable to change uid");
clean_child_exit(APEXIT_CHILDFATAL);
1.191 +14 -0 apache-1.3/src/main/http_core.c
Index: http_core.c
===================================================================
RCS file: /home/cvs/apache-1.3/src/main/http_core.c,v
retrieving revision 1.190
retrieving revision 1.191
diff -u -u -r1.190 -r1.191
--- http_core.c 1998/05/03 10:37:06 1.190
+++ http_core.c 1998/05/04 16:46:41 1.191
@@ -1861,6 +1861,16 @@
return NULL;
}
+#ifdef _OSD_POSIX /* BS2000 Logon Passwd file */
+static const char *set_bs2000_authfile (cmd_parms *cmd, void *dummy, char *name)
+{
+ const char *err = ap_check_cmd_context(cmd, GLOBAL_ONLY);
+ if (err != NULL) return err;
+
+ return os_set_authfile(cmd->pool, name);
+}
+#endif /*_OSD_POSIX*/
+
/* Note --- ErrorDocument will now work from .htaccess files.
* The AllowOverride of Fileinfo allows webmasters to turn it off
*/
@@ -1992,6 +2002,10 @@
{ "LogLevel", set_loglevel, NULL, RSRC_CONF, TAKE1, "set level of verbosity in error logging" },
{ "NameVirtualHost", ap_set_name_virtual_host, NULL, RSRC_CONF, TAKE1,
"a numeric ip address:port, or the name of a host" },
+#ifdef _OSD_POSIX
+{ "BS2000AuthFile", set_bs2000_authfile, NULL, RSRC_CONF, TAKE1,
+ "server User's bs2000 logon password file (read-protected)" },
+#endif
{ NULL },
};
Modified: htdocs/manual/mod directives.html core.html
src/main http_main.c http_core.c
Log:
BS2000 Security: BS2000 needs extra authentication
Revision Changes Path
1.44 +1 -0 apache-1.3/htdocs/manual/mod/directives.html
Index: directives.html
===================================================================
RCS file: /home/cvs/apache-1.3/htdocs/manual/mod/directives.html,v
retrieving revision 1.43
retrieving revision 1.44
diff -u -u -r1.43 -r1.44
--- directives.html 1998/04/03 16:07:15 1.43
+++ directives.html 1998/05/04 16:46:38 1.44
@@ -67,6 +67,7 @@
<LI><A HREF="core.html#bindaddress">BindAddress</A>
<LI><A HREF="mod_setenvif.html#BrowserMatch">BrowserMatch</A>
<LI><A HREF="mod_setenvif.html#BrowserMatchNoCase">BrowserMatchNoCase</A>
+<LI><A HREF="core.html#bs2000authfile">BS2000AuthFile</A>
<LI><A HREF="mod_proxy.html#cachedefaultexpire">CacheDefaultExpire</A>
<LI><A HREF="mod_proxy.html#cachedirlength">CacheDirLength</A>
<LI><A HREF="mod_proxy.html#cachedirlevels">CacheDirLevels</A>
1.110 +38 -0 apache-1.3/htdocs/manual/mod/core.html
Index: core.html
===================================================================
RCS file: /home/cvs/apache-1.3/htdocs/manual/mod/core.html,v
retrieving revision 1.109
retrieving revision 1.110
diff -u -u -r1.109 -r1.110
--- core.html 1998/04/29 06:32:11 1.109
+++ core.html 1998/05/04 16:46:38 1.110
@@ -28,6 +28,7 @@
<LI><A HREF="#authname">AuthName</A>
<LI><A HREF="#authtype">AuthType</A>
<LI><A HREF="#bindaddress">BindAddress</A>
+<LI><A HREF="#bs2000authfile">BS2000AuthFile</A>
<LI><A HREF="#clearmodulelist">ClearModuleList</A>
<LI><A HREF="#contentdigest">ContentDigest</A>
<LI><A HREF="#coredumpdirectory">CoreDumpDirectory</A>
@@ -351,6 +352,43 @@
<A HREF="../dns-caveats.html">DNS Issues</A><BR>
<STRONG>See Also:</STRONG>
<A HREF="../bind.html">Setting which addresses and ports Apache uses</A></P>
+
+<HR>
+
+<H2><A name="bs2000authfile">BS2000AuthFile directive</A></H2>
+<!--%plaintext <?INDEX {\tt BS2000AuthFile} directive> -->
+<A
+ HREF="directive-dict.html#Syntax"
+ REL="Help"
+><STRONG>Syntax:</STRONG></A> BS2000AuthFile <EM>authfile</EM><BR>
+<A
+ HREF="directive-dict.html#Default"
+ REL="Help"
+><STRONG>Default:</STRONG></A> <EM>none</EM><BR>
+<A
+ HREF="directive-dict.html#Context"
+ REL="Help"
+><STRONG>Context:</STRONG></A> server config<BR>
+<A
+ HREF="directive-dict.html#Status"
+ REL="Help"
+><STRONG>Status:</STRONG></A> core<BR>
+<STRONG>Compatibility:</STRONG></A> BS2000AuthFile is only available for BS2000 machines, as of Apache 1.3 and later.<P>
+
+The <CODE>BS2000AuthFile</CODE> directive is available for BS2000 hosts
+only. It must be used to define the password file which is used to
+change the BS2000 task environment of the server to the non-privileged
+account specified by the <A HREF="#user">User</A> directive. This is
+required in the BS2000 POSIX subsystem (by performing a sub-LOGON) to
+prevent CGI scripts from accessing resources of the privileged account
+which started the server, usually <SAMP>TSOS</SAMP>.<BR>
+Note that the specified <EM>authfile</EM> must be owned by the super
+user and must not be readable or writable by anyone else, otherwise
+Apache will refuse to start and exit with an error message.<BR>
+Only one <CODE>BS2000AuthFile</CODE> directive can be used. <P>
+
+<P><STRONG>See Also:</STRONG>
+<A HREF="../ebcdic.html">Apache EBCDIC port</A></P>
<HR>
1.330 +5 -1 apache-1.3/src/main/http_main.c
Index: http_main.c
===================================================================
RCS file: /home/cvs/apache-1.3/src/main/http_main.c,v
retrieving revision 1.329
retrieving revision 1.330
diff -u -u -r1.329 -r1.330
--- http_main.c 1998/05/03 17:17:00 1.329
+++ http_main.c 1998/05/04 16:46:40 1.330
@@ -3147,7 +3147,11 @@
}
#else
/* Only try to switch if we're running as root */
- if (!geteuid() && setuid(ap_user_id) == -1) {
+ if (!geteuid() && (
+#ifdef _OSD_POSIX
+ os_init_job_environment(server_conf, ap_user_name) != 0 ||
+#endif
+ setuid(ap_user_id) == -1)) {
ap_log_error(APLOG_MARK, APLOG_ALERT, server_conf,
"setuid: unable to change uid");
clean_child_exit(APEXIT_CHILDFATAL);
1.191 +14 -0 apache-1.3/src/main/http_core.c
Index: http_core.c
===================================================================
RCS file: /home/cvs/apache-1.3/src/main/http_core.c,v
retrieving revision 1.190
retrieving revision 1.191
diff -u -u -r1.190 -r1.191
--- http_core.c 1998/05/03 10:37:06 1.190
+++ http_core.c 1998/05/04 16:46:41 1.191
@@ -1861,6 +1861,16 @@
return NULL;
}
+#ifdef _OSD_POSIX /* BS2000 Logon Passwd file */
+static const char *set_bs2000_authfile (cmd_parms *cmd, void *dummy, char *name)
+{
+ const char *err = ap_check_cmd_context(cmd, GLOBAL_ONLY);
+ if (err != NULL) return err;
+
+ return os_set_authfile(cmd->pool, name);
+}
+#endif /*_OSD_POSIX*/
+
/* Note --- ErrorDocument will now work from .htaccess files.
* The AllowOverride of Fileinfo allows webmasters to turn it off
*/
@@ -1992,6 +2002,10 @@
{ "LogLevel", set_loglevel, NULL, RSRC_CONF, TAKE1, "set level of verbosity in error logging" },
{ "NameVirtualHost", ap_set_name_virtual_host, NULL, RSRC_CONF, TAKE1,
"a numeric ip address:port, or the name of a host" },
+#ifdef _OSD_POSIX
+{ "BS2000AuthFile", set_bs2000_authfile, NULL, RSRC_CONF, TAKE1,
+ "server User's bs2000 logon password file (read-protected)" },
+#endif
{ NULL },
};