diff options
| author | rcritten <> | 2011-03-02 21:12:05 +0000 |
|---|---|---|
| committer | rcritten <> | 2011-03-02 21:12:05 +0000 |
| commit | f656ffc036af239a4236f1c1fc97e32a809d470d (patch) | |
| tree | 334e7b4af59abcd246d345f2ddadb5a659c1598c /nss_engine_init.c | |
| parent | 1a10bf6ecc79da62bba901758feaa134aa4d50ca (diff) | |
| download | mod_nss-f656ffc036af239a4236f1c1fc97e32a809d470d.tar.gz mod_nss-f656ffc036af239a4236f1c1fc97e32a809d470d.tar.xz mod_nss-f656ffc036af239a4236f1c1fc97e32a809d470d.zip | |
Add a semaphore lock around retrieving token PINs from the nss_pcache
pipe. Rarely requests to the pipe were getting overridden causing
that child to not enable SSL.
Fedora bug 677701
Diffstat (limited to 'nss_engine_init.c')
| -rw-r--r-- | nss_engine_init.c | 45 |
1 files changed, 41 insertions, 4 deletions
diff --git a/nss_engine_init.c b/nss_engine_init.c index 0392205..6b0770c 100644 --- a/nss_engine_init.c +++ b/nss_engine_init.c @@ -312,6 +312,7 @@ int nss_init_Module(apr_pool_t *p, apr_pool_t *plog, int sslenabled = FALSE; int fipsenabled = FALSE; int threaded = 0; + struct semid_ds status; mc->nInitCount++; @@ -412,10 +413,26 @@ int nss_init_Module(apr_pool_t *p, apr_pool_t *plog, ap_log_error(APLOG_MARK, APLOG_INFO, 0, s, "Init: %snitializing NSS library", mc->nInitCount == 1 ? "I" : "Re-i"); + /* The first pass through this function will create the semaphore that + * will be used to lock the pipe. The user is still root at that point + * so for any later calls the semaphore ops will fail with permission + * errors. So switch the user to the Apache user. + */ + if (mc->semid) { + uid_t user_id; + + user_id = ap_uname2id(mc->user); + semctl(mc->semid, 0, IPC_STAT, &status); + status.sem_perm.uid = user_id; + semctl(mc->semid,0,IPC_SET,&status); + } + /* Do we need to fire up our password helper? */ if (mc->nInitCount == 1) { const char * child_argv[5]; apr_status_t rv; + struct sembuf sb; + char sembuf[32]; if (mc->pphrase_dialog_helper == NULL) { ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, @@ -423,11 +440,31 @@ int nss_init_Module(apr_pool_t *p, apr_pool_t *plog, nss_die(); } + mc->semid = semget(IPC_PRIVATE, 1, IPC_CREAT | IPC_EXCL | 0600); + if (mc->semid == -1) { + ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, + "Unable to obtain semaphore."); + nss_die(); + } + + /* Initialize the semaphore */ + sb.sem_num = 0; + sb.sem_op = 1; + sb.sem_flg = 0; + if ((semop(mc->semid, &sb, 1)) == -1) { + ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, + "Unable to initialize semaphore."); + nss_die(); + } + + PR_snprintf(sembuf, 32, "%d", mc->semid); + child_argv[0] = mc->pphrase_dialog_helper; - child_argv[1] = fipsenabled ? "on" : "off"; - child_argv[2] = mc->pCertificateDatabase; - child_argv[3] = mc->pDBPrefix; - child_argv[4] = NULL; + child_argv[1] = sembuf; + child_argv[2] = fipsenabled ? "on" : "off"; + child_argv[3] = mc->pCertificateDatabase; + child_argv[4] = mc->pDBPrefix; + child_argv[5] = NULL; rv = apr_procattr_create(&mc->procattr, mc->pPool); |