Forum OpenACS Development: AOL 3.5 and APM

It ends up that ns_write breaks certain reverse proxies (i.e. pound). This is because it never sends an http header.

I switched to squid, which seems like a lot of overhead for what I need. I also tried nxunix/vhr under 3.5 and have it working except that the log files show the original ip.

If anyone has a fix for the x-forwarded-for header of ns_log I would really appreciate it.

I am documenting my trials and tribulations with single ip/multiple servers for an advanced config guide.

Pages that use ns_write correctly either write out the headers themselves or use ReturnHeaders https://openacs.org/api-doc/proc-view?proc=ReturnHeaders

ns_write provides low level access to the socket. You use it when you want to, or have to:

• Write your own complete response.
• Use several calls to send information out the socket.
• Impress your friends :)

ReturnHeaders mentioned above uses ns_write to create a basic response.

My feeling it that ns_write doesn't work as intended with the request processor, which wants to bundle everything up and send it at one time.

(For anyone who doesn't read the AOLserver mailing list.) I'm working on forward porting the AD13+OACS1 changes to 3.5.2. I think I'm mostly done, but I need some help testing the patches. (I'm on Win32 and haven't ever used the i18n code before.) I'm working from the notes I made earlier - http://panoptic.com/wiki/aolserver/92 If anyone would like "preview" patches, I'd be happy to email them to you. Suggestions on good tests to run are also welcome.

Is the gid stuff fixed in 3.5?

root# /usr/local/aolserver-3.5/bin/nsd -V                          
AOLserver/3.5.2 (aolserver_v35_b2)                                              
   CVS Tag:         $Name: aolserver_v35_b2 $                                   
   Built:           Jan  6 2003 at 19:35:54                                     
   Tcl version:     8.4                                                         
   Thread library:  pthread                                                     
   Platform:        linux 

No matter how I set the "-g" flag, aolserver runs as the default group of my "-u" user So, if I try to run it as group 'nogroup', it still runs as vinod's default group "web"

root# ps -Ao pid,user,group,cmd | grep 'nsd'
  485 vinod    web   /usr/local/aolserver-3.5/bin/nsd -t /usr/local/aolserver-3.5/nsd.tcl -u vinod -g nogroup

or if I try to run it as "-u oracle -g audio", it instead runs under oracle's default group 'dba'

 1427 oracle   dba   /usr/local/aolserver-3.5/bin/nsd -t /usr/local/aolserver-3.5/nsd.tcl -u oracle -g audio

Perhaps there's just something wrong with my installation?

Probably Jon's patch would allow an illegal group to be specified for a user.

3.5.1 is broken in the sense that the -g switch doesn't work, you can only use the user's main group. But it also allows you to set the root group by setting the main group of a user to root. Looks like Jon's patch allows this as well.

I wrote some code to check that a user is in the group specified after -g, disallowing root group and setting the group to any legal group for the user. I wrote a few extra Ns_ commands to do this, but it looks like the actual code maybe should be in nsmain.c, not in an external function. Lemme dig up the code.

#include <stdio.h>
#include <stdlib.h>
#include <grp.h>
#include <pwd.h>

int Ns_UserGroupCheck( char *user, char *group );
int Ns_GetUserGid(char *user);
int Ns_GetUid(char *user);
int Ns_GetGid(char *group);
char *Ns_GetUserName(int uid);
char *Ns_GetGroupName(int gid);


int
main (int argc, char **argv) 

{

  char *group;
  char *user;

  if ( ( (user = argv[1]) != NULL ) && ( (group = argv[2]) != NULL ) ) {
      printf("check returned: %i\n", Ns_UserGroupCheck(user, group));
  } else {
     printf("usage: %s username groupname\n", argv[0]);
  }
  
  return 0;

} 

/*
 * Ns_UserGroupCheck checks:
 * 1. user uid > 0, else return false
 * 2. group gid > 0, else return false
 * 5. user in group, else return false
 * 6. return true.
 */
 
int
Ns_UserGroupCheck( char *user, char *group ) 
{
  
  int gid, uid;
  int ret;
  char *grp;
  struct group *grent;
  char **members;
  char *member;
  int i = 0;

  
  uid = Ns_GetUid(user);

  if (uid > 0) {
    // valid user
  } else if (uid == 0) {
    // root user
    return 0;
  } else if (uid == -1 && ( uid = atoi(user) ) && ( ( user = Ns_GetUserName(uid) ) != NULL ) ) {
    // valid user
  } else {
    // invalid or root user
    return uid;
  }

  gid = Ns_GetGid(group);

  if (gid > 0) {
    // valid group
  } else if (gid == 0) {
    // root group
    return 0;
  } else if (gid == -1 && ( gid = atoi(group) ) && ( ( group = Ns_GetGroupName(gid) ) != NULL ) ) {
    // valid group
  } else {
    // invalid group or root group
    return gid;
  }

  // valid user and group 
  // check if user in primary group

  if ( gid == Ns_GetUserGid(user) ) {
    return 1;
  }
  // check if user in additional group
  
  grent = getgrnam(group);
  members = grent->gr_mem;
  
  while( members[i] ) {
    printf ("member %i: %s\n", i, members[i]);
    if (!strcmp(members[i], user)) {
      return 1;
    }
    i++;
  }
  return -1;

}

int
Ns_GetUserGid(char *user)
{
    struct passwd  *pw;
    int             retcode;

    //Ns_MutexLock(&lock);
    pw = getpwnam(user);
    if (pw == NULL) {
        retcode = -1;
    } else {
        retcode = pw->pw_gid;
    }
    //Ns_MutexUnlock(&lock);

    return retcode;
}

int
Ns_GetUid(char *user)
{
    struct passwd  *pw;
    int             retcode;

    //Ns_MutexLock(&lock);
    pw = getpwnam(user);
    if (pw == NULL) {
        retcode = -1;
    } else {
        retcode = pw->pw_uid;
    }
    //Ns_MutexUnlock(&lock);

    return retcode;
}

char *
Ns_GetUserName(int uid)
{
    struct passwd  *pw;
    char           *pwname;

    //Ns_MutexLock(&lock);
    pw = getpwuid(uid);
    if (pw == NULL) {
        pwname = NULL;
    } else {
        pwname = pw->pw_name;
    }
    //Ns_MutexUnlock(&lock);

    return pwname;
}

char *
Ns_GetGroupName(int gid)
{
    struct group   *grent;
    char           *grpname;

    //Ns_MutexLock(&lock);
    grent = getgrgid(gid);
    if (grent == NULL) {
        grpname = NULL;
    } else {
        grpname = grent->gr_name;
    }
    //Ns_MutexUnlock(&lock);

    return grpname;
}

int
Ns_GetGid(char *group)
{
    int             retcode;
    struct group   *grent;

    //Ns_MutexLock(&lock);
    grent = getgrnam(group);
    if (grent == NULL) {
        retcode = -1;
    } else {
        retcode = grent->gr_gid;
    }
    //Ns_MutexUnlock(&lock);

    return retcode;
}

You can compile and test without aolserver, I just commented out the Ns_Mutex locks to run it.

Problems is the code doesn't distinguish between invalid or root user/group, which would not matter in nsmain.c.

Jamie,
The zip file is corrupt.
Also, where is 3.5.2 I only see 3.5.1 at aolserver.com?

Sorry about the corruption, I'm just no good at this.  I opened up the file in 7-Zip, which must have corrupted it somehow, though it still isn't giving me any problems.  I'm trying again, but you should probably just get the file from Andy, he knows what he's doing. 😉

Well I hate to sound like the greasy wheel, but the tone of the chat reminds me of the AOL of old. Do what we say and no, you don't get cvs access.

They are making a huge mistake as the 3.5.x patches are basically done. I just put them on some production boxes and have only one minor acs-lang problem and I am sure that is my fault.

I won't trust my important sites to a .0 release and the attitude of "we want the community to focus on 4.x" is ridiculous. There isn't even any clear instructions on the crappy sourceforge site on how to focus on it.

Jon, at first my thinking was much like yours.  But, the list of
Developers on aolserver.sourceforge.net is very long.

Dan Wickstrom, Dave Bauer, Don Baccus, Jeff Davis, Jerry Asher, Jamie
Rasmussen, Tom Jackson, Scott Goodwin, David Walker - presumably any
one of those people can commit the 3.5.x patches if they feel the
need, no?