HCoop / hcoop / debian / libapache-mod-waklog.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
first round of UMBC merges; all these changes are inert no-ops
[hcoop/debian/libapache-mod-waklog.git] / mod_waklog.c
CommitLineData
87822447 1#define _LARGEFILE64_SOURCE
ff47641b 2#define _GNU_SOURCE
87822447 3
bed98ff9 4#include "httpd.h"
5#include "http_config.h"
bed98ff9 6#include "http_log.h"
7193eb01 7#include "http_protocol.h"
8#include "http_request.h"
9#include "http_core.h"
87822447 10
ff47641b 11#ifdef sun
12#include <synch.h>
13#elif linux
14#define use_pthreads
15#include <features.h>
16#include <sys/types.h>
17#include <sys/mman.h>
18#include <pthread.h>
19#else
20#error "make sure you include the right stuff here"
21#endif
22
23#ifndef MAXNAMELEN
24#define MAXNAMELEN 1024
25#endif
26
87822447 27#ifdef STANDARD20_MODULE_STUFF
28#include <apr_strings.h>
29#include <apr_base64.h>
30#include <apr_compat.h>
31#include <apu_compat.h>
32
33module AP_MODULE_DECLARE_DATA waklog_module;
34
ff47641b 35#include <http_conf_globals.h>
87822447 36#define MK_POOL apr_pool_t
37#define MK_TABLE_GET apr_table_get
ff47641b 38#define MK_TABLE_SET ap_table_set
87822447 39#include "unixd.h"
40extern unixd_config_rec unixd_config;
41#define ap_user_id unixd_config.user_id
42#define ap_group_id unixd_config.group_id
43#define ap_user_name unixd_config.user_name
44#define command(name, func, var, type, usage) \
45 AP_INIT_ ## type (name, (void*) func, \
46 (void*)APR_OFFSETOF(waklog_config, var), \
47 OR_AUTHCFG | RSRC_CONF, usage)
48typedef struct {
49 int dummy;
50} child_info;
51
52const char *userdata_key = "waklog_init";
53#else
bed98ff9 54#include "ap_config.h"
87822447 55
56module waklog_module;
57#define MK_POOL pool
58#define MK_TABLE_GET ap_table_get
59#define command(name, func, var, type, usage) \
60 { name, func, \
61 (void*)XtOffsetOf(waklog_config, var), \
62 OR_AUTHCFG | RSRC_CONF, type, usage }
63#endif /* STANDARD20_MODULE_STUFF */
64
65#define getModConfig(P, X) P = (waklog_host_config *) ap_get_module_config( (X)->module_config, &waklog_module );
66
4e1ae1cd 67#include <krb5.h>
bed98ff9 68
7193eb01 69#if defined(sun)
bed98ff9 70#include <sys/ioccom.h>
7193eb01 71#endif /* sun */
bed98ff9 72#include <stropts.h>
bed98ff9 73#include <afs/venus.h>
7193eb01 74#include <afs/auth.h>
75#include <rx/rxkad.h>
76
87822447 77#define KEYTAB "/etc/keytab.wwwserver"
78#define KEYTAB_PRINCIPAL "someplacewwwserver"
79#define AFS_CELL "someplace.edu"
4e1ae1cd 80
58bbdc54 81#define TKT_LIFE 10*60*60
b52ccbb1 82#define SLEEP_TIME TKT_LIFE - 5*60
87822447 83/* If there's an error, retry more aggressively */
84#define ERR_SLEEP_TIME 5*60
58bbdc54 85
58bbdc54 86
87#define K5PATH "FILE:/tmp/waklog.creds.k5"
7193eb01 88
313dde40 89typedef struct {
87822447 90 int forked;
4e1ae1cd 91 int configured;
92 int protect;
93 char *keytab;
7193eb01 94 char *keytab_principal;
403921ef 95 char *afs_cell;
87822447 96 MK_POOL *p;
313dde40 97} waklog_host_config;
98
7193eb01 99typedef struct {
100 struct ktc_token token;
101} waklog_child_config;
58bbdc54 102waklog_child_config child;
103
87822447 104static void
105log_error(const char *file, int line, int level, int status,
106 const server_rec *s, const char *fmt, ...)
4d47a8d9 107{
87822447 108 char errstr[1024];
109 va_list ap;
4d47a8d9 110
87822447 111 va_start(ap, fmt);
112 vsnprintf(errstr, sizeof(errstr), fmt, ap);
113 va_end(ap);
4d47a8d9 114
87822447 115#ifdef STANDARD20_MODULE_STUFF
116 ap_log_error(file, line, level | APLOG_NOERRNO, status, s, "%s", errstr);
117#else
118 ap_log_error(file, line, level | APLOG_NOERRNO, s, "%s", errstr);
119#endif
4d47a8d9 120
87822447 121}
4d47a8d9 122
313dde40 123 static void *
87822447 124waklog_create_server_config( MK_POOL *p, server_rec *s )
313dde40 125{
126 waklog_host_config *cfg;
127
128 cfg = (waklog_host_config *)ap_pcalloc( p, sizeof( waklog_host_config ));
87822447 129 cfg->p = p;
130 cfg->forked = 0;
313dde40 131 cfg->configured = 0;
132 cfg->protect = 0;
58bbdc54 133 cfg->keytab = KEYTAB;
134 cfg->keytab_principal = KEYTAB_PRINCIPAL;
135 cfg->afs_cell = AFS_CELL;
313dde40 136
87822447 137 log_error( APLOG_MARK, APLOG_DEBUG, 0, s, "mod_waklog: server config created." );
138
313dde40 139 return( cfg );
140}
141
142
313dde40 143 static const char *
144set_waklog_protect( cmd_parms *params, void *mconfig, int flag )
145{
146 waklog_host_config *cfg;
147
87822447 148 getModConfig(cfg, params->server );
313dde40 149
150 cfg->protect = flag;
151 cfg->configured = 1;
87822447 152 log_error( APLOG_MARK, APLOG_DEBUG, 0, params->server, "mod_waklog: waklog_protect set" );
313dde40 153 return( NULL );
154}
155
156
4e1ae1cd 157 static const char *
161ffd84 158set_waklog_keytab( cmd_parms *params, void *mconfig, char *file )
4e1ae1cd 159{
160 waklog_host_config *cfg;
161
87822447 162 getModConfig(cfg, params->server );
4e1ae1cd 163
87822447 164 log_error( APLOG_MARK, APLOG_INFO, 0, params->server,
165 "mod_waklog: will use keytab: %s", file );
3ed1e28a 166
b52ccbb1 167 cfg->keytab = ap_pstrdup ( params->pool, file );
4e1ae1cd 168 cfg->configured = 1;
169 return( NULL );
170}
171
172
58bbdc54 173 static const char *
174set_waklog_use_keytab_principal( cmd_parms *params, void *mconfig, char *file )
b74fad73 175{
58bbdc54 176 waklog_host_config *cfg;
7193eb01 177
87822447 178 getModConfig(cfg, params->server );
7193eb01 179
87822447 180 log_error( APLOG_MARK, APLOG_INFO, 0, params->server,
181 "mod_waklog: will use keytab_principal: %s", file );
58bbdc54 182
b52ccbb1 183 cfg->keytab_principal = ap_pstrdup ( params->pool, file );
58bbdc54 184 cfg->configured = 1;
185 return( NULL );
186}
187
188
189 static const char *
190set_waklog_use_afs_cell( cmd_parms *params, void *mconfig, char *file )
191{
192 waklog_host_config *cfg;
193
87822447 194 getModConfig(cfg, params->server );
58bbdc54 195
87822447 196 log_error( APLOG_MARK, APLOG_INFO, 0, params->server,
197 "mod_waklog: will use afs_cell: %s", file );
58bbdc54 198
b52ccbb1 199 cfg->afs_cell = ap_pstrdup( params->pool, file );
58bbdc54 200 cfg->configured = 1;
201 return( NULL );
202}
203
204
205 static void
87822447 206#ifdef STANDARD20_MODULE_STUFF
207waklog_child_init(MK_POOL *p, server_rec *s)
208#else
209waklog_child_init(server_rec *s, MK_POOL *p)
210#endif
58bbdc54 211{
212
87822447 213 log_error( APLOG_MARK, APLOG_DEBUG, 0, s,
214 "mod_waklog: child_init called" );
215
58bbdc54 216 memset( &child.token, 0, sizeof( struct ktc_token ) );
7193eb01 217
b74fad73 218 setpag();
7193eb01 219
87822447 220 log_error( APLOG_MARK, APLOG_DEBUG, 0, s,
221 "mod_waklog: child_init returned" );
222
b74fad73 223 return;
224}
225
87822447 226typedef struct {
227 int wak_protect;
228 char *wak_keytab;
229 char *wak_ktprinc;
230 char *wak_afscell;
231} waklog_config;
b74fad73 232
313dde40 233command_rec waklog_cmds[ ] =
234{
87822447 235 command("WaklogProtected", set_waklog_protect, wak_protect, FLAG, "enable waklog on a location or directory basis"),
313dde40 236
87822447 237 command("WaklogKeytab", set_waklog_keytab, wak_keytab, TAKE1, "Use the supplied keytab rather than the default"),
58bbdc54 238
87822447 239 command("WaklogUseKeytabPrincipal", set_waklog_use_keytab_principal, wak_ktprinc, TAKE1, "Use the supplied keytab principal rather than the default"),
58bbdc54 240
87822447 241 command("WaklogUseAFSCell", set_waklog_use_afs_cell, wak_afscell, TAKE1, "Use the supplied AFS cell rather than the default"),
4e1ae1cd 242
313dde40 243 { NULL }
244};
245
246
87822447 247 static int
e2df6441 248token_cleanup( void *data )
bed98ff9 249{
250 request_rec *r = (request_rec *)data;
bed98ff9 251
58bbdc54 252 if ( child.token.ticketLen ) {
253 memset( &child.token, 0, sizeof( struct ktc_token ) );
bed98ff9 254
7193eb01 255 ktc_ForgetAllTokens();
bed98ff9 256
87822447 257 log_error( APLOG_MARK, APLOG_DEBUG, 0, r->server,
258 "mod_waklog: ktc_ForgetAllTokens succeeded: pid: %d", getpid() );
7193eb01 259 }
87822447 260 return 0;
bed98ff9 261}
262
263
4e1ae1cd 264 static int
e2df6441 265waklog_kinit( server_rec *s )
4e1ae1cd 266{
87822447 267 krb5_error_code kerror = 0;
e2df6441 268 krb5_context kcontext = NULL;
269 krb5_principal kprinc = NULL;
4e1ae1cd 270 krb5_get_init_creds_opt kopts;
7193eb01 271 krb5_creds v5creds;
e2df6441 272 krb5_ccache kccache = NULL;
273 krb5_keytab keytab = NULL;
4e1ae1cd 274 char ktbuf[ MAX_KEYTAB_NAME_LEN + 1 ];
b52ccbb1 275 int i;
87822447 276 waklog_host_config *cfg;
4e1ae1cd 277
87822447 278 log_error( APLOG_MARK, APLOG_DEBUG, 0, s,
279 "mod_waklog: waklog_kinit called: pid: %d", getpid() );
4e1ae1cd 280
87822447 281 getModConfig(cfg, s);
58bbdc54 282
e21f34f0 283 if (( kerror = krb5_init_context( &kcontext ))) {
87822447 284 log_error( APLOG_MARK, APLOG_ERR, 0, s,
285 "mod_waklog: %s", (char *)error_message( kerror ));
4e1ae1cd 286
e2df6441 287 goto cleanup;
e21f34f0 288 }
4e1ae1cd 289
e21f34f0 290 /* use the path */
291 if (( kerror = krb5_cc_resolve( kcontext, K5PATH, &kccache )) != 0 ) {
87822447 292 log_error( APLOG_MARK, APLOG_ERR, 0, s,
293 "mod_waklog: %s", (char *)error_message( kerror ));
4e1ae1cd 294
e2df6441 295 goto cleanup;
e21f34f0 296 }
4e1ae1cd 297
87822447 298 log_error( APLOG_MARK, APLOG_DEBUG, 0, s,
299 "mod_waklog: keytab_principal: %s", cfg->keytab_principal );
b52ccbb1 300
301 if (( kerror = krb5_parse_name( kcontext, cfg->keytab_principal, &kprinc ))) {
87822447 302 log_error( APLOG_MARK, APLOG_ERR, 0, s,
303 "mod_waklog: %s", (char *)error_message( kerror ));
7193eb01 304
e2df6441 305 goto cleanup;
e21f34f0 306 }
7193eb01 307
e21f34f0 308 krb5_get_init_creds_opt_init( &kopts );
58bbdc54 309 krb5_get_init_creds_opt_set_tkt_life( &kopts, TKT_LIFE );
e21f34f0 310 krb5_get_init_creds_opt_set_renew_life( &kopts, 0 );
311 krb5_get_init_creds_opt_set_forwardable( &kopts, 1 );
312 krb5_get_init_creds_opt_set_proxiable( &kopts, 0 );
7193eb01 313
58bbdc54 314 /* keytab from config */
315 strncpy( ktbuf, cfg->keytab, sizeof( ktbuf ) - 1 );
7193eb01 316
87822447 317 log_error( APLOG_MARK, APLOG_DEBUG, 0, s,
318 "mod_waklog: waklog_kinit using: %s", ktbuf );
7193eb01 319
e21f34f0 320 if (( kerror = krb5_kt_resolve( kcontext, ktbuf, &keytab )) != 0 ) {
87822447 321 log_error( APLOG_MARK, APLOG_ERR, 0, s,
322 "mod_waklog:krb5_kt_resolve %s", (char *)error_message( kerror ));
7193eb01 323
e2df6441 324 goto cleanup;
e21f34f0 325 }
7193eb01 326
b52ccbb1 327 memset( (char *)&v5creds, 0, sizeof(v5creds));
328
e21f34f0 329 /* get the krbtgt */
330 if (( kerror = krb5_get_init_creds_keytab( kcontext, &v5creds,
403921ef 331 kprinc, keytab, 0, NULL, &kopts ))) {
7193eb01 332
87822447 333 log_error( APLOG_MARK, APLOG_ERR, 0, s,
334 "mod_waklog:krb5_get_init_creds_keytab %s", (char *)error_message( kerror ));
7193eb01 335
e2df6441 336 goto cleanup;
e21f34f0 337 }
7193eb01 338
e21f34f0 339 if (( kerror = krb5_cc_initialize( kcontext, kccache, kprinc )) != 0 ) {
87822447 340 log_error( APLOG_MARK, APLOG_ERR, 0, s,
341 "mod_waklog:krb5_cc_initialize %s", (char *)error_message( kerror ));
7193eb01 342
e2df6441 343 goto cleanup;
e21f34f0 344 }
7193eb01 345
e2df6441 346 kerror = krb5_cc_store_cred( kcontext, kccache, &v5creds );
347 krb5_free_cred_contents( kcontext, &v5creds );
348 if ( kerror != 0 ) {
87822447 349 log_error( APLOG_MARK, APLOG_ERR, 0, s,
350 "mod_waklog: %s", (char *)error_message( kerror ));
7193eb01 351
e2df6441 352 goto cleanup;
e21f34f0 353 }
7193eb01 354
87822447 355 log_error( APLOG_MARK, APLOG_DEBUG, 0, s,
356 "mod_waklog: waklog_kinit success" );
e2df6441 357
358cleanup:
359 if ( keytab )
360 (void)krb5_kt_close( kcontext, keytab );
361 if ( kprinc )
362 krb5_free_principal( kcontext, kprinc );
363 if ( kccache )
364 krb5_cc_close( kcontext, kccache );
365 if ( kcontext )
366 krb5_free_context( kcontext );
e21f34f0 367
87822447 368 log_error( APLOG_MARK, APLOG_DEBUG, 0, s,
369 "mod_waklog: waklog_kinit: exiting" );
7193eb01 370
87822447 371 return( kerror );
7193eb01 372}
373
374
375 static void
376waklog_aklog( request_rec *r )
377{
378 int rc;
bd173fe7 379 char buf[ MAXKTCTICKETLEN ];
7193eb01 380 const char *k5path = NULL;
381 krb5_error_code kerror;
e2df6441 382 krb5_context kcontext = NULL;
7193eb01 383 krb5_creds increds;
384 krb5_creds *v5credsp = NULL;
e2df6441 385 krb5_ccache kccache = NULL;
403921ef 386 struct ktc_principal server = { "afs", "", "" };
7193eb01 387 struct ktc_principal client;
388 struct ktc_token token;
403921ef 389 waklog_host_config *cfg;
58bbdc54 390 int buflen;
7193eb01 391
87822447 392 k5path = MK_TABLE_GET( r->subprocess_env, "KRB5CCNAME" );
7193eb01 393
87822447 394 log_error( APLOG_MARK, APLOG_INFO, 0, r->server,
395 "mod_waklog: waklog_aklog called: k5path: %s", k5path );
7193eb01 396
161ffd84 397 if ( k5path == NULL ) {
87822447 398 log_error( APLOG_MARK, APLOG_DEBUG, 0, r->server,
399 "mod_waklog: waklog_aklog giving up" );
e2df6441 400 goto cleanup;
4e1ae1cd 401 }
402
7193eb01 403 /*
404 ** Get/build creds from file/tgs, then see if we need to SetToken
405 */
406
407 if (( kerror = krb5_init_context( &kcontext ))) {
408 /* Authentication Required ( kerberos error ) */
87822447 409 log_error( APLOG_MARK, APLOG_ERR, 0, r->server,
410 (char *)error_message( kerror ));
411
e2df6441 412 goto cleanup;
4e1ae1cd 413 }
414
7193eb01 415 memset( (char *)&increds, 0, sizeof(increds));
4e1ae1cd 416
87822447 417 getModConfig(cfg, r->server );
403921ef 418
419 /* afs/<cell> or afs */
420 strncpy( buf, "afs", sizeof( buf ) - 1 );
58bbdc54 421 if ( strcmp( cfg->afs_cell, AFS_CELL ) ) {
403921ef 422 strncat( buf, "/" , sizeof( buf ) - strlen( buf ) - 1 );
423 strncat( buf, cfg->afs_cell, sizeof( buf ) - strlen( buf ) - 1 );
424 }
425
7193eb01 426 /* set server part */
403921ef 427 if (( kerror = krb5_parse_name( kcontext, buf, &increds.server ))) {
87822447 428 log_error( APLOG_MARK, APLOG_ERR, 0, r->server,
429 (char *)error_message( kerror ));
4e1ae1cd 430
e2df6441 431 goto cleanup;
4e1ae1cd 432 }
433
7193eb01 434 if (( kerror = krb5_cc_resolve( kcontext, k5path, &kccache )) != 0 ) {
87822447 435 log_error( APLOG_MARK, APLOG_ERR, 0, r->server,
436 (char *)error_message( kerror ));
7193eb01 437
e2df6441 438 goto cleanup;
7193eb01 439 }
4e1ae1cd 440
7193eb01 441 /* set client part */
442 krb5_cc_get_principal( kcontext, kccache, &increds.client );
4e1ae1cd 443
7193eb01 444 increds.times.endtime = 0;
445 /* Ask for DES since that is what V4 understands */
446 increds.keyblock.enctype = ENCTYPE_DES_CBC_CRC;
447
448 /* get the V5 credentials */
449 if (( kerror = krb5_get_credentials( kcontext, 0, kccache,
450 &increds, &v5credsp ) ) ) {
87822447 451 log_error( APLOG_MARK, APLOG_ERR, 0, r->server,
452 "mod_waklog: krb5_get_credentials: %s", error_message( kerror ));
e2df6441 453 goto cleanup;
4e1ae1cd 454 }
455
c4ad0387 456 /* don't overflow */
457 if ( v5credsp->ticket.length >= MAXKTCTICKETLEN ) { /* from krb524d.c */
87822447 458 log_error( APLOG_MARK, APLOG_ERR, 0, r->server,
459 "mod_waklog: ticket size (%d) too big to fake", v5credsp->ticket.length );
e2df6441 460 goto cleanup;
4e1ae1cd 461 }
462
7193eb01 463 /* assemble the token */
58bbdc54 464 memset( &token, 0, sizeof( struct ktc_token ) );
465
466 token.startTime = v5credsp->times.starttime ? v5credsp->times.starttime : v5credsp->times.authtime;
7193eb01 467 token.endTime = v5credsp->times.endtime;
58bbdc54 468 memmove( &token.sessionKey, v5credsp->keyblock.contents, v5credsp->keyblock.length );
469 token.kvno = RXKAD_TKT_TYPE_KERBEROS_V5;
470 token.ticketLen = v5credsp->ticket.length;
471 memmove( token.ticket, v5credsp->ticket.data, token.ticketLen );
7193eb01 472
58bbdc54 473 /* make sure we have to do this */
474 if ( child.token.kvno != token.kvno ||
475 child.token.ticketLen != token.ticketLen ||
476 (memcmp( &child.token.sessionKey, &token.sessionKey,
477 sizeof( token.sessionKey ) )) ||
478 (memcmp( child.token.ticket, token.ticket, token.ticketLen )) ) {
479
87822447 480 log_error( APLOG_MARK, APLOG_DEBUG, 0, r->server,
481 "mod_waklog: client: %s", buf );
7193eb01 482
483 /* build the name */
bd173fe7 484 memmove( buf, v5credsp->client->data[0].data,
485 min( v5credsp->client->data[0].length, MAXKTCNAMELEN - 1 ) );
58bbdc54 486 buf[ v5credsp->client->data[0].length ] = '\0';
487 if ( v5credsp->client->length > 1 ) {
8258901d 488 strncat( buf, ".", sizeof( buf ) - strlen( buf ) - 1 );
58bbdc54 489 buflen = strlen( buf );
bd173fe7 490 memmove( buf + buflen, v5credsp->client->data[1].data,
491 min( v5credsp->client->data[1].length, MAXKTCNAMELEN - strlen( buf ) - 1 ) );
58bbdc54 492 buf[ buflen + v5credsp->client->data[1].length ] = '\0';
7193eb01 493 }
494
495 /* assemble the client */
403921ef 496 strncpy( client.name, buf, sizeof( client.name ) - 1 );
497 strncpy( client.instance, "", sizeof( client.instance) - 1 );
bd173fe7 498 memmove( buf, v5credsp->client->realm.data,
499 min( v5credsp->client->realm.length, MAXKTCNAMELEN - 1 ) );
58bbdc54 500 buf[ v5credsp->client->realm.length ] = '\0';
501 strncpy( client.cell, buf, sizeof( client.cell ) - 1 );
403921ef 502
58bbdc54 503 /* assemble the server's cell */
403921ef 504 strncpy( server.cell, cfg->afs_cell , sizeof( server.cell ) - 1 );
7193eb01 505
87822447 506 log_error( APLOG_MARK, APLOG_DEBUG, 0, r->server,
507 "mod_waklog: server: name=%s, instance=%s, cell=%s",
508 server.name, server.instance, server.cell );
509
510 log_error( APLOG_MARK, APLOG_DEBUG, 0, r->server,
511 "mod_waklog: client: name=%s, instance=%s, cell=%s",
512 client.name, client.instance, client.cell );
7193eb01 513
514 /* use the path */
7193eb01 515
516 /* rumor: we have to do this for AIX 4.1.4 with AFS 3.4+ */
517 write( 2, "", 0 );
518
519 if ( ( rc = ktc_SetToken( &server, &token, &client, 0 ) ) ) {
87822447 520 log_error( APLOG_MARK, APLOG_ERR, 0, r->server,
521 "mod_waklog: settoken returned %d", rc );
58bbdc54 522 goto cleanup;
7193eb01 523 }
524
525 /* save this */
58bbdc54 526 memmove( &child.token, &token, sizeof( struct ktc_token ) );
7193eb01 527
528 /* we'll need to unlog when this connection is done. */
e2df6441 529 ap_register_cleanup( r->pool, (void *)r, token_cleanup, ap_null_cleanup );
7193eb01 530 }
531
e2df6441 532cleanup:
533 if ( v5credsp )
534 krb5_free_cred_contents( kcontext, v5credsp );
535 if ( increds.client )
536 krb5_free_principal( kcontext, increds.client );
537 if ( increds.server )
538 krb5_free_principal( kcontext, increds.server );
539 if ( kccache )
540 krb5_cc_close( kcontext, kccache );
541 if ( kcontext )
542 krb5_free_context( kcontext );
3ed1e28a 543
87822447 544 log_error( APLOG_MARK, APLOG_DEBUG, 0, r->server,
545 "mod_waklog: finished with waklog_aklog" );
7193eb01 546
e2df6441 547 return;
548
4e1ae1cd 549}
550
e21f34f0 551 static int
552waklog_child_routine( void *s, child_info *pinfo )
553{
e21f34f0 554 if ( !getuid() ) {
87822447 555 log_error( APLOG_MARK, APLOG_DEBUG, 0, s,
556 "mod_waklog: waklog_child_routine called as root" );
e21f34f0 557
558 /* this was causing the credential file to get owned by root */
ea3e8708 559#ifdef STANDARD20_MODULE_STUFF
e21f34f0 560 setgid(ap_group_id);
561 setuid(ap_user_id);
ea3e8708 562#endif
e21f34f0 563 }
564
565 while( 1 ) {
e2df6441 566 waklog_kinit( s );
87822447 567 log_error( APLOG_MARK, APLOG_DEBUG, 0, s,
568 "mod_waklog: child_routine sleeping" );
58bbdc54 569 sleep( SLEEP_TIME );
87822447 570 log_error( APLOG_MARK, APLOG_DEBUG, 0, s,
571 "mod_waklog: slept, calling waklog_kinit" );
e21f34f0 572 }
573
574}
575
87822447 576#ifdef STANDARD20_MODULE_STUFF
577static int
578waklog_init_handler(apr_pool_t *p, apr_pool_t *plog,
579 apr_pool_t *ptemp, server_rec *s)
580{
581 int rv;
582 extern char *version;
583 apr_proc_t *proc;
584 waklog_host_config *cfg;
585 void *data;
586
587 getModConfig(cfg, s);
588
589 /* initialize_module() will be called twice, and if it's a DSO
590 * then all static data from the first call will be lost. Only
591 * set up our static data on the second call.
592 * see http://issues.apache.org/bugzilla/show_bug.cgi?id=37519 */
593 apr_pool_userdata_get(&data, userdata_key, s->process->pool);
594
595 if (!data) {
596 apr_pool_userdata_set((const void *)1, userdata_key,
597 apr_pool_cleanup_null, s->process->pool);
598 } else {
599 log_error( APLOG_MARK, APLOG_INFO, 0, s,
600 "mod_waklog: version %s initialized.", version );
601
602 proc = (apr_proc_t *)ap_pcalloc( s->process->pool, sizeof(apr_proc_t));
603
604 rv = apr_proc_fork(proc, s->process->pool);
605
606 if (rv == APR_INCHILD) {
607 waklog_child_routine(s, NULL);
608 } else {
609 apr_pool_note_subprocess(s->process->pool, proc, APR_KILL_ALWAYS);
610 }
611 /* parent and child */
612 cfg->forked = proc->pid;
613 }
614 return 0;
615}
616#else
e21f34f0 617 static void
87822447 618waklog_init( server_rec *s, MK_POOL *p )
e21f34f0 619{
620 extern char *version;
621 int pid;
622
87822447 623 log_error( APLOG_MARK, APLOG_INFO, 0, s,
624 "mod_waklog: version %s initialized.", version );
e21f34f0 625
626 pid = ap_bspawn_child( p, waklog_child_routine, s, kill_always,
627 NULL, NULL, NULL );
628
87822447 629 log_error( APLOG_MARK, APLOG_DEBUG, 0, s,
630 "mod_waklog: ap_bspawn_child: %d.", pid );
e21f34f0 631}
87822447 632#endif
4e1ae1cd 633
bed98ff9 634 static int
7193eb01 635waklog_phase0( request_rec *r )
bed98ff9 636{
313dde40 637 waklog_host_config *cfg;
638
87822447 639 log_error( APLOG_MARK, APLOG_DEBUG, 0, r->server,
640 "mod_waklog: phase0 called" );
7193eb01 641
87822447 642 getModConfig(cfg, r->server );
313dde40 643
87822447 644 log_error( APLOG_MARK, APLOG_DEBUG, 0, r->server,
645 "mod_waklog: phase0, checking cfg->protect" );
7193eb01 646 if ( !cfg->protect ) {
87822447 647 log_error( APLOG_MARK, APLOG_DEBUG, 0, r->server,
648 "mod_waklog: phase0 declining" );
7193eb01 649 return( DECLINED );
650 }
4e1ae1cd 651
87822447 652 log_error( APLOG_MARK, APLOG_DEBUG, 0, r->server,
653 "mod_waklog: phase0, NOT setting environment variable" );
654 /* set our environment variable */
655 apr_table_set( r->subprocess_env, "KRB5CCNAME", K5PATH );
b52ccbb1 656
87822447 657 log_error( APLOG_MARK, APLOG_DEBUG, 0, r->server,
658 "mod_waklog: phase0, checking child.token.ticketLen" );
7193eb01 659 /* do this only if we are still unauthenticated */
58bbdc54 660 if ( !child.token.ticketLen ) {
87822447 661
662 log_error( APLOG_MARK, APLOG_DEBUG, 0, r->server,
663 "mod_waklog: phase0, calling waklog_aklog" );
7193eb01 664 /* stuff the credentials into the kernel */
665 waklog_aklog( r );
4e1ae1cd 666 }
7193eb01 667
87822447 668 log_error( APLOG_MARK, APLOG_DEBUG, 0, r->server,
669 "mod_waklog: phase0 returning" );
7193eb01 670 return DECLINED;
671}
4e1ae1cd 672
1e18ef7d 673
7193eb01 674 static int
675waklog_phase7( request_rec *r )
676{
677 waklog_host_config *cfg;
1e18ef7d 678
87822447 679 log_error( APLOG_MARK, APLOG_DEBUG, 0, r->server,
680 "mod_waklog: phase7 called" );
1e18ef7d 681
87822447 682 getModConfig(cfg, r->server );
bed98ff9 683
7193eb01 684 if ( !cfg->protect ) {
685 return( DECLINED );
bed98ff9 686 }
687
7193eb01 688 /* stuff the credentials into the kernel */
87822447 689
690 log_error( APLOG_MARK, APLOG_DEBUG, 0, r->server,
691 "mod_waklog: phase7, calling waklog_aklog" );
7193eb01 692 waklog_aklog( r );
bed98ff9 693
87822447 694 log_error( APLOG_MARK, APLOG_DEBUG, 0, r->server,
695 "mod_waklog: phase7 returning" );
bed98ff9 696
7193eb01 697 return DECLINED;
bed98ff9 698}
699
ff47641b 700
87822447 701static
702#ifdef STANDARD20_MODULE_STUFF
ff47641b 703 int
87822447 704#else
ff47641b 705 void
87822447 706#endif
ff47641b 707waklog_new_connection (conn_rec * c
87822447 708#ifdef STANDARD20_MODULE_STUFF
709 , void *dummy
710#endif
ff47641b 711 )
712{
713
714 waklog_config *cfg;
715
716 log_error (APLOG_MARK, APLOG_DEBUG, 0, c->base_server,
717 "mod_waklog: new_connection called: pid: %d", getpid ());
718 /*
719 getModConfig(cfg, c->base_server);
720
721 if ( cfg->default_principal ) {
722 log_error(APLOG_MARK, APLOG_DEBUG, 0, c->base_server, "mod_waklog: new conn setting default user %s",
723 cfg->default_principal);
724 set_auth( c->base_server, NULL, 0, cfg->default_principal, cfg->default_keytab, 0);
725 }
726 */
727
87822447 728 return
729#ifdef STANDARD20_MODULE_STUFF
730 0
731#endif
732 ;
7193eb01 733}
bed98ff9 734
c4ad0387 735
1196adfe 736/*
737** Here's a quick explaination for phase0 and phase2:
738** Apache does a stat() on the path between phase0 and
739** phase2, and must by ACLed rl to succeed. So, at
740** phase0 we acquire credentials for umweb:servers from
741** a keytab, and at phase2 we must ensure we remove them.
742**
743** Failure to "unlog" would be a security risk.
744*/
ff47641b 745static int
746waklog_phase2 (request_rec * r)
c4ad0387 747{
161ffd84 748
ff47641b 749 log_error (APLOG_MARK, APLOG_DEBUG, 0, r->server,
750 "mod_waklog: phase2 called");
1196adfe 751
ff47641b 752 if (child.token.ticketLen)
753 {
754 memset (&child.token, 0, sizeof (struct ktc_token));
c4ad0387 755
ff47641b 756 ktc_ForgetAllTokens ();
c4ad0387 757
ff47641b 758 log_error (APLOG_MARK, APLOG_DEBUG, 0, r->server,
759 "mod_waklog: ktc_ForgetAllTokens succeeded: pid: %d",
760 getpid ());
c4ad0387 761 }
1196adfe 762
ff47641b 763 log_error (APLOG_MARK, APLOG_DEBUG, 0, r->server,
764 "mod_waklog: phase2 returning");
1196adfe 765
c4ad0387 766 return DECLINED;
767}
768
87822447 769#ifndef STANDARD20_MODULE_STUFF
313dde40 770module MODULE_VAR_EXPORT waklog_module = {
bed98ff9 771 STANDARD_MODULE_STUFF,
003832b1 772 waklog_init, /* module initializer */
b52ccbb1 773#if 0
4d47a8d9 774 waklog_create_dir_config, /* create per-dir config structures */
b52ccbb1 775#else /* 0 */
776 NULL, /* create per-dir config structures */
777#endif /* 0 */
bed98ff9 778 NULL, /* merge per-dir config structures */
313dde40 779 waklog_create_server_config, /* create per-server config structures */
bed98ff9 780 NULL, /* merge per-server config structures */
313dde40 781 waklog_cmds, /* table of config file commands */
bed98ff9 782 NULL, /* [#8] MIME-typed-dispatched handlers */
783 NULL, /* [#1] URI to filename translation */
784 NULL, /* [#4] validate user id from request */
785 NULL, /* [#5] check if the user is ok _here_ */
786 NULL, /* [#3] check access by host address */
787 NULL, /* [#6] determine MIME type */
7193eb01 788 waklog_phase7, /* [#7] pre-run fixups */
bed98ff9 789 NULL, /* [#9] log a transaction */
c4ad0387 790 waklog_phase2, /* [#2] header parser */
313dde40 791 waklog_child_init, /* child_init */
bed98ff9 792 NULL, /* child_exit */
7193eb01 793 waklog_phase0 /* [#0] post read-request */
bed98ff9 794#ifdef EAPI
795 ,NULL, /* EAPI: add_module */
796 NULL, /* EAPI: remove_module */
797 NULL, /* EAPI: rewrite_command */
7193eb01 798 waklog_new_connection /* EAPI: new_connection */
bed98ff9 799#endif
800};
87822447 801#else
802static void
ff47641b 803waklog_register_hooks (apr_pool_t * p)
87822447 804{
ff47641b 805 ap_hook_header_parser (waklog_phase2, NULL, NULL, APR_HOOK_FIRST);
806 ap_hook_fixups (waklog_phase7, NULL, NULL, APR_HOOK_FIRST);
807 ap_hook_child_init (waklog_child_init, NULL, NULL, APR_HOOK_FIRST);
808 ap_hook_post_read_request (waklog_phase0, NULL, NULL, APR_HOOK_FIRST);
809 ap_hook_pre_connection (waklog_new_connection, NULL, NULL, APR_HOOK_FIRST);
810 ap_hook_post_config (waklog_init_handler, NULL, NULL, APR_HOOK_MIDDLE);
87822447 811}
812
813
814module AP_MODULE_DECLARE_DATA waklog_module =
815{
816 STANDARD20_MODULE_STUFF,
817 NULL, /* create per-dir conf structures */
818 NULL, /* merge per-dir conf structures */
819 waklog_create_server_config, /* create per-server conf structures */
820 NULL, /* merge per-server conf structures */
821 waklog_cmds, /* table of configuration directives */
822 waklog_register_hooks /* register hooks */
823};
824#endif
161ffd84 825
libapache-mod-waklog packaging