Yes, removing elevate on new and delete instance does break backwards compatibility, but I don't think anyone including Y is using it. If you want me to back out that change I can.
-Bryan On Jan 24, 2014, at 5:11 PM, James Peach <jpe...@apache.org> wrote: > > On Jan 23, 2014, at 1:33 PM, Bryan Call <bc...@yahoo-inc.com> wrote: > >> I removed elevation on delete and new instance. It is needed in dlopen >> because the libraries that we link with in our plugins need root privileges >> when they statically initialize things. > > Ah, static initializers. Is removing the elevation on delete and new instance > a backwards compatibility issue? I'd say so, though I also think that those > are bad times to elevate unless you are using Linux capabilities. > > >> >> -Bryan >> >> >>>> Am 23 yan, 2014 um 22:00 schrieb "James Peach" <jpe...@apache.org>: >>>> >>>>> On Jan 23, 2014, at 6:50 AM, bc...@apache.org wrote: >>>>> >>>>> Updated Branches: >>>>> refs/heads/master 00897775d -> cd86569e9 >>>>> >>>>> >>>>> TS-2425: Update to TS-2261 for loading plugins as root >>>> [snip] >>>>> http://git-wip-us.apache.org/repos/asf/trafficserver/blob/cd86569e/proxy/http/remap/UrlMapping.cc >>>>> ---------------------------------------------------------------------- >>>>> diff --git a/proxy/http/remap/UrlMapping.cc >>>>> b/proxy/http/remap/UrlMapping.cc >>>>> index d5b00d1..58739c1 100644 >>>>> --- a/proxy/http/remap/UrlMapping.cc >>>>> +++ b/proxy/http/remap/UrlMapping.cc >>>>> @@ -79,13 +79,8 @@ url_mapping::delete_instance(unsigned int index) >>>>> remap_plugin_info* p = get_plugin(index); >>>>> >>>>> if (ih && p && p->fp_tsremap_delete_instance) { >>>>> - // elevate the access to read files as root if compiled with >>>>> capabilities, if not >>>>> - // change the effective user to root >>>>> - uint32_t elevate_access = 0; >>>>> - REC_ReadConfigInteger(elevate_access, >>>>> "proxy.config.plugin.load_elevated"); >>>>> - ElevateAccess access(elevate_access != 0); >>>>> p->fp_tsremap_delete_instance(ih); >>>>> - } // done elevating access >>>>> + } >>>>> } >>>> >>>> The delete is no longer elevated? That seems inconsistent. Why did you >>>> remove that? Also, why is it necessary to perform the dlopen() with >>>> privilege? >>>> >>>> J >> >
