Lines 50-55
Link Here
|
50 |
|
50 |
|
51 |
static int g_process_counter = 0; |
51 |
static int g_process_counter = 0; |
52 |
|
52 |
|
|
|
53 |
extern PFNGETUSERCREDENTIALS g_pfnGetUserCredentials; |
54 |
|
53 |
static apr_status_t close_finish_event(void *finishevent) |
55 |
static apr_status_t close_finish_event(void *finishevent) |
54 |
{ |
56 |
{ |
55 |
HANDLE *finish_event = finishevent; |
57 |
HANDLE *finish_event = finishevent; |
Lines 58-63
Link Here
|
58 |
return APR_SUCCESS; |
60 |
return APR_SUCCESS; |
59 |
} |
61 |
} |
60 |
|
62 |
|
|
|
63 |
/* CGI process impersonation routine |
64 |
*/ |
65 |
apr_status_t proc_impersonate(fcgid_proc_info *procinfo, apr_procattr_t *proc_attr) |
66 |
{ |
67 |
#define BUFFERLEN 1024 |
68 |
char szUsername[BUFFERLEN] = {0}; |
69 |
char szPassword[BUFFERLEN] = {0}; |
70 |
int nUsernameLen = BUFFERLEN; |
71 |
int nPasswordLen = BUFFERLEN; |
72 |
|
73 |
apr_status_t rv = APR_BADARG; |
74 |
apr_uint32_t dwError = 0; |
75 |
apr_uint32_t dwTimer = GetTickCount(); |
76 |
|
77 |
fcgid_server_conf *sconf = ap_get_module_config(procinfo->main_server-> |
78 |
module_config, &fcgid_module); |
79 |
|
80 |
if (sconf == NULL){ |
81 |
ap_log_error(APLOG_MARK, APLOG_ERR, rv, procinfo->main_server, |
82 |
"mod_fcgid: fcgi server configuration info unavailable"); |
83 |
return rv; |
84 |
} |
85 |
|
86 |
if (sconf->bImpersonation == FALSE){ |
87 |
return APR_SUCCESS; |
88 |
} |
89 |
|
90 |
ap_log_error(APLOG_MARK, /*APLOG_DEBUG*/APLOG_INFO, 0, procinfo->main_server, |
91 |
"mod_fcgid: Starting Impersonation started"); |
92 |
|
93 |
if (proc_attr == NULL){ |
94 |
ap_log_error(APLOG_MARK, APLOG_ERR, rv, procinfo->main_server, |
95 |
"mod_fcgid: process attribute info unavailable"); |
96 |
return rv; |
97 |
} |
98 |
|
99 |
if (g_hImpersonationCredentialProviderDLL == NULL){ |
100 |
rv = APR_FROM_OS_ERROR(ERROR_DLL_NOT_FOUND); |
101 |
ap_log_error(APLOG_MARK, APLOG_ERR, rv, procinfo->main_server, |
102 |
"mod_fcgid: Credential provider module unavailable"); |
103 |
return rv; |
104 |
} |
105 |
|
106 |
if (g_pfnGetUserCredentials == NULL){ |
107 |
rv = APR_FROM_OS_ERROR(ERROR_BAD_DLL_ENTRYPOINT); |
108 |
ap_log_error(APLOG_MARK, APLOG_ERR, rv, procinfo->main_server, |
109 |
"mod_fcgid: Credential provider module entry point unavailable"); |
110 |
return rv; |
111 |
} |
112 |
|
113 |
|
114 |
/* Get credentials, note that we expect credential caching to be done by |
115 |
* the provider DLL for security reasons |
116 |
*/ |
117 |
dwError = g_pfnGetUserCredentials(szUsername, &nUsernameLen, |
118 |
szPassword, &nPasswordLen); |
119 |
if (dwError != ERROR_SUCCESS){ |
120 |
rv = APR_FROM_OS_ERROR(dwError); |
121 |
ap_log_error(APLOG_MARK, APLOG_ERR, rv, procinfo->main_server, |
122 |
"mod_fcgid: error retreiving credientials from " |
123 |
"ImpersonationCredentialProviderDLL %s function %s", |
124 |
sconf->pszImpersonationCredentialProviderPath, |
125 |
sconf->pszImpersonatorFunctionName); |
126 |
return rv; |
127 |
} |
128 |
szUsername[nUsernameLen] = 0; |
129 |
szPassword[nPasswordLen] = 0; |
130 |
|
131 |
|
132 |
/* In order for CGI process to access remote DB in Win Authentication |
133 |
* mode we raise the impersonation to Delegation level |
134 |
*/ |
135 |
apr_procattr_impersonation_level_set(proc_attr, SecurityDelegation); |
136 |
|
137 |
/* Request imperonsation with delegation rights |
138 |
*/ |
139 |
rv = apr_procattr_user_set(proc_attr, szUsername, szPassword); |
140 |
if (rv != APR_SUCCESS){ |
141 |
ap_log_error(APLOG_MARK, APLOG_WARNING, rv, procinfo->main_server, |
142 |
"mod_fcgid: Impersonation failed for user: %s password: %s", |
143 |
szUsername, "*******" /*szPassword*/); |
144 |
return rv; |
145 |
} |
146 |
|
147 |
/* Wipe out the username and password details from memory to avoid exposing |
148 |
* the same from VM images, crash dumps, etc. |
149 |
*/ |
150 |
SecureZeroMemory(szUsername, sizeof(szUsername)); |
151 |
SecureZeroMemory(szPassword, sizeof(szPassword)); |
152 |
|
153 |
ap_log_error(APLOG_MARK, /*APLOG_DEBUG*/ APLOG_INFO, 0, procinfo->main_server, |
154 |
"mod_fcgid: Impersonation took %u ms", GetTickCount() - dwTimer); |
155 |
|
156 |
return rv; |
157 |
} |
61 |
apr_status_t proc_spawn_process(const char *cmdline, fcgid_proc_info *procinfo, |
158 |
apr_status_t proc_spawn_process(const char *cmdline, fcgid_proc_info *procinfo, |
62 |
fcgid_procnode *procnode) |
159 |
fcgid_procnode *procnode) |
63 |
{ |
160 |
{ |
Lines 166-171
Link Here
|
166 |
return APR_ENOPROC; |
263 |
return APR_ENOPROC; |
167 |
} |
264 |
} |
168 |
|
265 |
|
|
|
266 |
|
267 |
/* LTAC - FcgidImpersonation feature*/ |
268 |
rv = proc_impersonate(procinfo, proc_attr); |
269 |
|
169 |
/* fork and exec now */ |
270 |
/* fork and exec now */ |
170 |
rv = apr_proc_create(&(procnode->proc_id), wargv[0], wargv, |
271 |
rv = apr_proc_create(&(procnode->proc_id), wargv[0], wargv, |
171 |
proc_environ, proc_attr, procnode->proc_pool); |
272 |
proc_environ, proc_attr, procnode->proc_pool); |