diff options
Diffstat (limited to 'lib')
-rw-r--r-- | lib/unicorn.rb | 2 | ||||
-rw-r--r-- | lib/unicorn/configurator.rb | 22 | ||||
-rw-r--r-- | lib/unicorn/http_server.rb | 4 | ||||
-rw-r--r-- | lib/unicorn/oob_gc.rb | 3 | ||||
-rw-r--r-- | lib/unicorn/socket_helper.rb | 7 | ||||
-rw-r--r-- | lib/unicorn/worker.rb | 13 |
6 files changed, 41 insertions, 10 deletions
diff --git a/lib/unicorn.rb b/lib/unicorn.rb index f122563..4bd7bda 100644 --- a/lib/unicorn.rb +++ b/lib/unicorn.rb @@ -95,7 +95,7 @@ module Unicorn # returns an array of strings representing TCP listen socket addresses # and Unix domain socket paths. This is useful for use with - # Raindrops::Middleware under Linux: http://raindrops.bogomips.org/ + # Raindrops::Middleware under Linux: https://bogomips.org/raindrops/ def self.listener_names Unicorn::HttpServer::LISTENERS.map do |io| Unicorn::SocketHelper.sock_name(io) diff --git a/lib/unicorn/configurator.rb b/lib/unicorn/configurator.rb index 1e2b6e4..7ed5ffa 100644 --- a/lib/unicorn/configurator.rb +++ b/lib/unicorn/configurator.rb @@ -49,6 +49,9 @@ class Unicorn::Configurator server.logger.error(m) end }, + :after_worker_ready => lambda { |server, worker| + server.logger.info("worker=#{worker.nr} ready") + }, :pid => nil, :preload_app => false, :check_client_connection => false, @@ -172,6 +175,21 @@ class Unicorn::Configurator set_hook(:after_worker_exit, block_given? ? block : args[0], 3) end + # sets after_worker_ready hook to a given block. This block will be called + # by a worker process after it has been fully loaded, directly before it + # starts responding to requests: + # + # after_worker_ready do |server,worker| + # server.logger.info("worker #{worker.nr} ready, dropping privileges") + # worker.user('username', 'groupname') + # end + # + # Do not use Configurator#user if you rely on changing users in the + # after_worker_ready hook. + def after_worker_ready(*args, &block) + set_hook(:after_worker_ready, block_given? ? block : args[0]) + end + # sets before_fork got be a given Proc object. This Proc # object will be called by the master process before forking # each worker. @@ -569,6 +587,10 @@ class Unicorn::Configurator # This switch will occur after calling the after_fork hook, and only # if the Worker#user method is not called in the after_fork hook # +group+ is optional and will not change if unspecified. + # + # Do not use Configurator#user if you rely on changing users in the + # after_worker_ready hook. Instead, you need to call Worker#user + # directly in after_worker_ready. def user(user, group = nil) # raises ArgumentError on invalid user/group Etc.getpwnam(user) diff --git a/lib/unicorn/http_server.rb b/lib/unicorn/http_server.rb index c2086cb..ef897ad 100644 --- a/lib/unicorn/http_server.rb +++ b/lib/unicorn/http_server.rb @@ -15,7 +15,7 @@ class Unicorn::HttpServer :before_fork, :after_fork, :before_exec, :listener_opts, :preload_app, :orig_app, :config, :ready_pipe, :user - attr_writer :after_worker_exit + attr_writer :after_worker_exit, :after_worker_ready attr_reader :pid, :logger include Unicorn::SocketHelper @@ -644,7 +644,7 @@ class Unicorn::HttpServer trap(:USR1) { nr = -65536 } ready = readers.dup - @logger.info "worker=#{worker.nr} ready" + @after_worker_ready.call(self, worker) begin nr < 0 and reopen_worker_logs(worker.nr) diff --git a/lib/unicorn/oob_gc.rb b/lib/unicorn/oob_gc.rb index 5572e59..c4741a0 100644 --- a/lib/unicorn/oob_gc.rb +++ b/lib/unicorn/oob_gc.rb @@ -66,10 +66,9 @@ module Unicorn::OobGC end #:stopdoc: - PATH_INFO = "PATH_INFO" def process_client(client) super(client) # Unicorn::HttpServer#process_client - if OOBGC_PATH =~ OOBGC_ENV[PATH_INFO] && ((@@nr -= 1) <= 0) + if OOBGC_PATH =~ OOBGC_ENV['PATH_INFO'] && ((@@nr -= 1) <= 0) @@nr = OOBGC_INTERVAL OOBGC_ENV.clear disabled = GC.enable diff --git a/lib/unicorn/socket_helper.rb b/lib/unicorn/socket_helper.rb index 5371413..f52dde2 100644 --- a/lib/unicorn/socket_helper.rb +++ b/lib/unicorn/socket_helper.rb @@ -75,12 +75,15 @@ module Unicorn elsif respond_to?(:accf_arg) name = opt[:accept_filter] name = DEFAULTS[:accept_filter] if name.nil? + sock.listen(opt[:backlog]) + got = (sock.getsockopt(:SOL_SOCKET, :SO_ACCEPTFILTER) rescue nil).to_s + arg = accf_arg(name) begin - sock.setsockopt(:SOL_SOCKET, :SO_ACCEPTFILTER, accf_arg(name)) + sock.setsockopt(:SOL_SOCKET, :SO_ACCEPTFILTER, arg) rescue => e logger.error("#{sock_name(sock)} " \ "failed to set accept_filter=#{name} (#{e.inspect})") - end + end if arg != got end end diff --git a/lib/unicorn/worker.rb b/lib/unicorn/worker.rb index 6748a2f..e22c1bf 100644 --- a/lib/unicorn/worker.rb +++ b/lib/unicorn/worker.rb @@ -111,9 +111,11 @@ class Unicorn::Worker # In most cases, you should be using the Unicorn::Configurator#user # directive instead. This method should only be used if you need # fine-grained control of exactly when you want to change permissions - # in your after_fork hooks. + # in your after_fork or after_worker_ready hooks, or if you want to + # use the chroot support. # - # Changes the worker process to the specified +user+ and +group+ + # Changes the worker process to the specified +user+ and +group+, + # and chroots to the current working directory if +chroot+ is set. # This is only intended to be called from within the worker # process from the +after_fork+ hook. This should be called in # the +after_fork+ hook after any privileged functions need to be @@ -123,7 +125,7 @@ class Unicorn::Worker # directly back to the caller (usually the +after_fork+ hook. # These errors commonly include ArgumentError for specifying an # invalid user/group and Errno::EPERM for insufficient privileges - def user(user, group = nil) + def user(user, group = nil, chroot = false) # we do not protect the caller, checking Process.euid == 0 is # insufficient because modern systems have fine-grained # capabilities. Let the caller handle any and all errors. @@ -134,6 +136,11 @@ class Unicorn::Worker Process.initgroups(user, gid) Process::GID.change_privilege(gid) end + if chroot + chroot = Dir.pwd if chroot == true + Dir.chroot(chroot) + Dir.chdir('/') + end Process.euid != uid and Process::UID.change_privilege(uid) @switched = true end |