Hi all,
I recently started to have a look at supporting mod_perl for our
WebApp on Windows again and implemented a very simple PoC pre-loading
our app during start of HTTPd using "PerlPostConfigRequire". During
implementation I ran into the following problem with my setup.
My HTTPd is NOT running using an account with lots of permissions like
SYSTEM, but as a standard user instead. That user has read permissions
on all necessary files to serve and execute, can write logs properly
etc. Everything is working fine using plain CGI instead of mod_perl as
well.
When enabling mod_perl, the service refuses to start and the following
error is logged after some waiting:
> [Wed Jul 31 18:35:50.609122 2019] [perl:error] [pid 15276:tid 848]
> APR::Finfo::stat: (70008) Partial results are valid but processing is
> incomplete at C:\\Program Files\\Apache Software
> Foundation\\mod_perl\\Current\\Perl64\\site\\lib/ModPerl/RegistryLoader.pm
> line 119Compilation failed in require at (eval 2) line 1.\n
I've debugged this further and found that the problem is the current
implementation of "finfo". Replacing usage of FINFO_NORM with
FINFO_MIN makes the problem go away and my PoC succeed:
> sub finfo { $_[0]->{finfo}||=APR::Finfo::stat($_[0]->{filename},
> APR::Const::FINFO_NORM,
> $_[0]->pool); }
vs.
> sub finfo { $_[0]->{finfo}||=APR::Finfo::stat($_[0]->{filename},
> APR::Const::FINFO_MIN,
> $_[0]->pool); }
Using a completely different implementation based on File::stat::stat
and some custom wrapper to provide the same methods like APF::Finfo
fixes the problem as well. Before finding that solution I debugged the
problem using Process Monitor and it seems that FINFO_NORM requests
data which forces Windows to ask for admin-credentials, something
which is not easily possible in the context of a running service.
> 18:12:09,8533141 httpd.exe 20396 QueryRemoteProtocolInformation
> C:\Users\tschoening\Documents\Eclipse\Perl DocBeam\MandKomm\mandkomm.pl
> INVALID PARAMETER
> 18:12:09,8533617 httpd.exe 20396 QuerySecurityFile
> C:\Users\tschoening\Documents\Eclipse\Perl DocBeam\MandKomm\mandkomm.pl
> SUCCESS Information: Owner, Group, DACL
Those two statements are the last I'm able to directly associate with
mod_perl itself, because "mandkomm.pl" is the file I'm testing my PoC
with. Directly afterwards the following Windows-related internal stuff
happens:
> 18:12:09,8557370 httpd.exe 20396 CreateFile C:\Program
> Files\WindowsApps\Microsoft.LanguageExperiencePackde-DE_17763.14.39.0_neutral__8wekyb3d8bbwe\Windows\System32\de-DE\ntmarta.dll.mui
> SUCCESS Desired Access: Generic Read, Disposition: Open, Options: ,
> Attributes: n/a, ShareMode: Read, Delete, AllocationSize: n/a, OpenResult:
> Opened
> 18:12:09,8557889 httpd.exe 20396 CreateFileMapping
> C:\Program
> Files\WindowsApps\Microsoft.LanguageExperiencePackde-DE_17763.14.39.0_neutral__8wekyb3d8bbwe\Windows\System32\de-DE\ntmarta.dll.mui
> FILE LOCKED WITH ONLY READERS SyncType: SyncTypeCreateSection,
> PageProtection: PAGE_EXECUTE|PAGE_NOCACHE
> 18:12:09,8558183 httpd.exe 20396 QueryStandardInformationFile
> C:\Program
> Files\WindowsApps\Microsoft.LanguageExperiencePackde-DE_17763.14.39.0_neutral__8wekyb3d8bbwe\Windows\System32\de-DE\ntmarta.dll.mui
> SUCCESS AllocationSize: 16.384, EndOfFile: 14.720, NumberOfLinks: 1,
> DeletePending: False, Directory: False
> 18:12:09,8558750 httpd.exe 20396 CreateFileMapping
> C:\Program
> Files\WindowsApps\Microsoft.LanguageExperiencePackde-DE_17763.14.39.0_neutral__8wekyb3d8bbwe\Windows\System32\de-DE\ntmarta.dll.mui
> SUCCESS SyncType: SyncTypeOther
> 18:12:09,8562021 httpd.exe 20396 CreateFile C:\Program
> Files\Apache Software Foundation\httpd\bin\logoncli.dll NAME NOT FOUND
> Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse
> Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a
> 18:12:09,8564963 httpd.exe 20396 CreateFile
> C:\Windows\System32\logoncli.dll SUCCESS Desired Access: Read
> Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a,
> ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened
> 18:12:09,8565506 httpd.exe 20396 QueryBasicInformationFile
> C:\Windows\System32\logoncli.dll SUCCESS CreationTime: 15.09.2018
> 09:28:46, LastAccessTime: 15.09.2018 09:28:46, LastWriteTime: 15.09.2018
> 09:28:46, ChangeTime: 18.12.2018 14:29:50, FileAttributes: A
> 18:12:09,8565821 httpd.exe 20396 CloseFile
> C:\Windows\System32\logoncli.dll SUCCESS
> 18:12:09,8567588 httpd.exe 20396 CreateFile
> C:\Windows\System32\logoncli.dll SUCCESS Desired Access: Read
> Data/List Directory, Execute/Traverse, Synchronize, Disposition: Open,
> Options: Synchronous IO Non-Alert, Non-Directory File, Attributes: n/a,
> ShareMode: Read, Delete, AllocationSize: n/a, OpenResult: Opened
> 18:12:09,8568147 httpd.exe 20396 CreateFileMapping
> C:\Windows\System32\logoncli.dll FILE LOCKED WITH ONLY READERS
> SyncType: SyncTypeCreateSection, PageProtection: PAGE_EXECUTE|PAGE_NOCACHE
> 18:12:09,8568718 httpd.exe 20396 CreateFileMapping
> C:\Windows\System32\logoncli.dll SUCCESS SyncType: SyncTypeOther
> 18:12:09,8570352 httpd.exe 20396 CloseFile
> C:\Windows\System32\logoncli.dll SUCCESS
> 18:12:09,8577214 httpd.exe 20396 CreateFile C:\Program
> Files\Apache Software Foundation\httpd\bin\netutils.dll NAME NOT FOUND
> Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse
> Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a
> 18:12:09,8580361 httpd.exe 20396 CreateFile
> C:\Windows\System32\netutils.dll SUCCESS Desired Access: Read
> Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a,
> ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened
> 18:12:09,8581042 httpd.exe 20396 QueryBasicInformationFile
> C:\Windows\System32\netutils.dll SUCCESS CreationTime: 15.09.2018
> 09:28:46, LastAccessTime: 15.09.2018 09:28:46, LastWriteTime: 15.09.2018
> 09:28:46, ChangeTime: 18.12.2018 14:29:37, FileAttributes: A
> 18:12:09,8581470 httpd.exe 20396 CloseFile
> C:\Windows\System32\netutils.dll SUCCESS
> 18:12:09,8583470 httpd.exe 20396 CreateFile
> C:\Windows\System32\netutils.dll SUCCESS Desired Access: Read
> Data/List Directory, Execute/Traverse, Synchronize, Disposition: Open,
> Options: Synchronous IO Non-Alert, Non-Directory File, Attributes: n/a,
> ShareMode: Read, Delete, AllocationSize: n/a, OpenResult: Opened
> 18:12:09,8584031 httpd.exe 20396 CreateFileMapping
> C:\Windows\System32\netutils.dll FILE LOCKED WITH ONLY READERS
> SyncType: SyncTypeCreateSection, PageProtection: PAGE_EXECUTE|PAGE_NOCACHE
> 18:12:09,8584618 httpd.exe 20396 CreateFileMapping
> C:\Windows\System32\netutils.dll SUCCESS SyncType: SyncTypeOther
> 18:12:09,8586230 httpd.exe 20396 CloseFile
> C:\Windows\System32\netutils.dll SUCCESS
> 18:12:09,8622225 httpd.exe 20396 CreateFile
> \\VORDEFINIERT*\MAILSLOT\NET\NETLOGON SUCCESS Desired Access: Generic
> Write, Read Attributes, Disposition: OpenIf, Options: Synchronous IO
> Non-Alert, Non-Directory File, Attributes: N, ShareMode: Read, Write,
> AllocationSize: 0, OpenResult: Superseded
> 18:12:09,8622960 httpd.exe 20396 WriteFile
> \\VORDEFINIERT*\MAILSLOT\NET\NETLOGON BAD NETWORK PATH Offset: 0,
> Length: 78, Priority: Normal
> 18:12:23,4057050 httpd.exe 20396 CloseFile
> \\VORDEFINIERT*\MAILSLOT\NET\NETLOGON SUCCESS
> 18:12:23,4094073 httpd.exe 20396 CreateFile
> \\VORDEFINIERT*\MAILSLOT\NET\NETLOGON SUCCESS Desired Access: Generic
> Write, Read Attributes, Disposition: OpenIf, Options: Synchronous IO
> Non-Alert, Non-Directory File, Attributes: N, ShareMode: Read, Write,
> AllocationSize: 0, OpenResult: Superseded
> 18:12:23,4095101 httpd.exe 20396 WriteFile
> \\VORDEFINIERT*\MAILSLOT\NET\NETLOGON Offset: 0, Length: 78,
> Priority: Normal
Looking at the names of the DLLs it seems there's some authentication
trying to happen in the background which simply doesn't succeed. Which
would make sense, because by default Windows services are not allowed
to communicate with the desktop of the current user and things are
most likely simply timing out at some point.
Looking at the source of APR to get to know which data gets requested
using FINFO_NORM, I found the following:
> #define APR_FINFO_PROT 0x00700000 /**< all protections */
> #define APR_FINFO_NORM 0x0073b170 /**< an atomic unix apr_stat() */
FINFO_NORM seems to include APR_FINFO_PROT and searching the sources
for that maps to lots of security related function calls on Windows,
which might not be accessible for the user my HTTPd is running under.
All this leads to the following questions:
1. Does that make sense to anyone at all? :-)
2. Does mod_perl really needs FINFO_NORM or can switch to FINFO_MIN?
3. Is this maybe something the APR-project itself should lookt at?
FINFO_NORM seems to be some default which should fail in other
contexts with standard users as well.
Thanks for your time!
Mit freundlichen Grüßen,
Thorsten Schöning
--
Thorsten Schöning E-Mail: thorsten.schoen...@am-soft.de
AM-SoFT IT-Systeme http://www.AM-SoFT.de/
Telefon...........05151- 9468- 55
Fax...............05151- 9468- 88
Mobil..............0178-8 9468- 04
AM-SoFT GmbH IT-Systeme, Brandenburger Str. 7c, 31789 Hameln
AG Hannover HRB 207 694 - Geschäftsführer: Andreas Muchow
