unit.git/auto/unix, branch 1.19.0 Universal Web Application Server Changed the group listing to run unprivileged when possible. 2019-11-26T16:15:23+00:00 Tiago Natel t.nateldemoura@f5.com 2019-11-26T16:15:23+00:00 2f23923e44d4528a547d2a29212ac93c3f0e25de Now the nxt_user_groups_get() function uses getgrouplist(3) when available (except MacOS, see below). For some platforms, getgrouplist() supports a method of probing how much groups the user has but the behavior is not consistent. The method used here consists of optimistically trying to get up to min(256, NGROUPS_MAX) groups; only if ngroups returned exceeds the original value, we do a second call. This method can block main's process if LDAP/NDIS+ is in use. MacOS has getgrouplist(3) but it's buggy. It doesn't update ngroups if the value passed is smaller than the number of groups the user has. Some projects (like Go stdlib) call getgrouplist() in a loop, increasing ngroups until it exceeds the number of groups user belongs to or fail when a limit is reached. For performance reasons, this is to be avoided and MacOS is handled in the fallback implementation. The fallback implementation is the old Unit approach. It saves main's user groups (getgroups(2)) and then calls initgroups(3) to load application's groups in main, then does a second getgroups(2) to store the gids and restore main's groups in the end. Because of initgroups(3)' call to setgroups(2), this method requires root capabilities. In the case of OSX, which has small NGROUPS_MAX by default (16), it's not possible to restore main's groups if it's large; if so, this method fallbacks again: user_cred gids aren't stored, and the worker process calls initgroups() itself and may block for some time if LDAP/NDIS+ is in use. 
Now the nxt_user_groups_get() function uses getgrouplist(3) when available
(except MacOS, see below).  For some platforms, getgrouplist() supports
a method of probing how much groups the user has but the behavior is not
consistent.  The method used here consists of optimistically trying to get up
to min(256, NGROUPS_MAX) groups; only if ngroups returned exceeds the original
value, we do a second call.  This method can block main's process if LDAP/NDIS+
is in use.

MacOS has getgrouplist(3) but it's buggy.  It doesn't update ngroups if the
value passed is smaller than the number of groups the user has.  Some
projects (like Go stdlib) call getgrouplist() in a loop, increasing ngroups
until it exceeds the number of groups user belongs to or fail when a limit
is reached.  For performance reasons, this is to be avoided and MacOS is
handled in the fallback implementation.

The fallback implementation is the old Unit approach.  It saves main's
user groups (getgroups(2)) and then calls initgroups(3) to load application's
groups in main, then does a second getgroups(2) to store the gids and restore
main's groups in the end.  Because of initgroups(3)' call to setgroups(2),
this method requires root capabilities.  In the case of OSX, which has
small NGROUPS_MAX by default (16), it's not possible to restore main's groups
if it's large; if so, this method fallbacks again: user_cred gids aren't
stored, and the worker process calls initgroups() itself and may block for
some time if LDAP/NDIS+ is in use.
Configure: fixed posix_spawn() detection with glic 2.30. 2019-11-22T11:06:02+00:00 Sergey Kandaurov pluknet@nginx.com 2019-11-22T11:06:02+00:00 94a9162baa82809ec58a3d06ca3489c7e7fed6ed In particular, it was previously broken on Ubuntu 19.10 and Fedora 31. See for details: https://sourceware.org/git/?p=glibc.git;a=commitdiff;h=2ab5741 
In particular, it was previously broken on Ubuntu 19.10 and Fedora 31.
See for details: https://sourceware.org/git/?p=glibc.git;a=commitdiff;h=2ab5741
Added getentropy() support. 2018-07-16T10:30:11+00:00 Sergey Kandaurov pluknet@nginx.com 2018-07-16T10:30:11+00:00 7c5a710c5543debff0c70cb4839e15e9a1da322b Prodded by David Carlier. 
Prodded by David Carlier.
Supplied getrandom() test with commentary about supported OSes. 2018-07-16T10:17:49+00:00 Sergey Kandaurov pluknet@nginx.com 2018-07-16T10:17:49+00:00 bf1cb8f399b2b580da5c014439eff038e9d1315f 






Using getrandom() libc interface, SYS_getrandom fixes.
2018-05-24T17:35:47+00:00

Sergey Kandaurov
pluknet@nginx.com

2018-05-24T17:35:47+00:00

a9ea218e7e119d7d7d050156835d4e16f41d0a6c

The interface is available since Glibc 2.25, and FreeBSD 12.0.





The interface is available since Glibc 2.25, and FreeBSD 12.0.







The new module configuration interface.
2017-08-17T18:47:19+00:00

Igor Sysoev
igor@sysoev.ru

2017-08-17T18:47:19+00:00

949548da293fa30ef200d07c3e4ff108174404b7

Configuration and building example:

  ./configure
  ./configure python
  ./configure php
  ./configure go
  make all

or

  ./configure
  make nginext
  ./configure python
  make python
  ./configure php
  make php
  ./configure go
  make go

Modules configuration options and building examples:

  ./configure python --module=python2 --config=python2.7-config
  make python2

  ./configure php --module=php7 --config=php7.0-config
                  --lib-path=/usr/local/php7.0
  make php7

  ./configure go --go=go1.6 --go-path=${HOME}/go1.6
  make go1.6





Configuration and building example:

  ./configure
  ./configure python
  ./configure php
  ./configure go
  make all

or

  ./configure
  make nginext
  ./configure python
  make python
  ./configure php
  make php
  ./configure go
  make go

Modules configuration options and building examples:

  ./configure python --module=python2 --config=python2.7-config
  make python2

  ./configure php --module=php7 --config=php7.0-config
                  --lib-path=/usr/local/php7.0
  make php7

  ./configure go --go=go1.6 --go-path=${HOME}/go1.6
  make go1.6







Restored arc4random unit test after 59fc46dd5e1d.
2017-07-14T17:37:28+00:00

Ruslan Ermilov
ru@nginx.com

2017-07-14T17:37:28+00:00

ca3b1b898a759441664e75ea0d1885e36b9defac












Initial version.
2017-01-17T17:00:00+00:00

Igor Sysoev
igor@sysoev.ru

2017-01-17T17:00:00+00:00

16cbf3c076a0aca6d47adaf3f719493674cf2363