httpd/httpd-2.4.2-r1337344+.patch


http://svn.apache.org/viewvc?view=revision&revision=1337344
http://svn.apache.org/viewvc?view=revision&revision=1341905

--- httpd-2.4.2/support/suexec.c
+++ httpd-2.4.2/support/suexec.c
@@ -58,6 +58,10 @@
 #include <grp.h>
 #endif
 
+#ifdef AP_LOG_SYSLOG
+#include <syslog.h>
+#endif
+
 #if defined(PATH_MAX)
 #define AP_MAXPATH PATH_MAX
 #elif defined(MAXPATHLEN)
@@ -69,7 +73,12 @@
 #define AP_ENVBUF 256
 
 extern char **environ;
+
+#ifdef AP_LOG_SYSLOG
+static int log_open;
+#else
 static FILE *log = NULL;
+#endif
 
 static const char *const safe_env_lst[] =
 {
@@ -128,10 +137,23 @@
     NULL
 };
 
+static void log_err(const char *fmt,...) 
+    __attribute__((format(printf,1,2)));
+static void log_no_err(const char *fmt,...)  
+    __attribute__((format(printf,1,2)));
+static void err_output(int is_error, const char *fmt, va_list ap) 
+    __attribute__((format(printf,2,0)));
 
 static void err_output(int is_error, const char *fmt, va_list ap)
 {
-#ifdef AP_LOG_EXEC
+#if defined(AP_LOG_SYSLOG)
+    if (!log_open) {
+        openlog("suexec", LOG_PID, LOG_DAEMON);
+        log_open = 1;
+    }
+
+    vsyslog(is_error ? LOG_ERR : LOG_INFO, fmt, ap);
+#elif defined(AP_LOG_EXEC)
     time_t timevar;
     struct tm *lt;
 
@@ -263,7 +285,7 @@
      */
     uid = getuid();
     if ((pw = getpwuid(uid)) == NULL) {
-        log_err("crit: invalid uid: (%ld)\n", uid);
+        log_err("crit: invalid uid: (%lu)\n", (unsigned long)uid);
         exit(102);
     }
     /*
@@ -289,7 +311,9 @@
 #ifdef AP_HTTPD_USER
         fprintf(stderr, " -D AP_HTTPD_USER=\"%s\"\n", AP_HTTPD_USER);
 #endif
-#ifdef AP_LOG_EXEC
+#if defined(AP_LOG_SYSLOG)
+        fprintf(stderr, " -D AP_LOG_SYSLOG\n");
+#elif defined(AP_LOG_EXEC)
         fprintf(stderr, " -D AP_LOG_EXEC=\"%s\"\n", AP_LOG_EXEC);
 #endif
 #ifdef AP_SAFE_PATH
@@ -440,7 +464,7 @@
      * a UID less than AP_UID_MIN.  Tsk tsk.
      */
     if ((uid == 0) || (uid < AP_UID_MIN)) {
-        log_err("cannot run as forbidden uid (%d/%s)\n", uid, cmd);
+        log_err("cannot run as forbidden uid (%lu/%s)\n", (unsigned long)uid, cmd);
         exit(107);
     }
 
@@ -449,7 +473,7 @@
      * or as a GID less than AP_GID_MIN.  Tsk tsk.
      */
     if ((gid == 0) || (gid < AP_GID_MIN)) {
-        log_err("cannot run as forbidden gid (%d/%s)\n", gid, cmd);
+        log_err("cannot run as forbidden gid (%lu/%s)\n", (unsigned long)gid, cmd);
         exit(108);
     }
 
@@ -460,7 +484,7 @@
      * and setgid() to the target group. If unsuccessful, error out.
      */
     if (((setgid(gid)) != 0) || (initgroups(actual_uname, gid) != 0)) {
-        log_err("failed to setgid (%ld: %s)\n", gid, cmd);
+        log_err("failed to setgid (%lu: %s)\n", (unsigned long)gid, cmd);
         exit(109);
     }
 
@@ -468,7 +492,7 @@
      * setuid() to the target user.  Error out on fail.
      */
     if ((setuid(uid)) != 0) {
-        log_err("failed to setuid (%ld: %s)\n", uid, cmd);
+        log_err("failed to setuid (%lu: %s)\n", (unsigned long)uid, cmd);
         exit(110);
     }
 
@@ -556,11 +580,11 @@
         (gid != dir_info.st_gid) ||
         (uid != prg_info.st_uid) ||
         (gid != prg_info.st_gid)) {
-        log_err("target uid/gid (%ld/%ld) mismatch "
-                "with directory (%ld/%ld) or program (%ld/%ld)\n",
-                uid, gid,
-                dir_info.st_uid, dir_info.st_gid,
-                prg_info.st_uid, prg_info.st_gid);
+        log_err("target uid/gid (%lu/%lu) mismatch "
+                "with directory (%lu/%lu) or program (%lu/%lu)\n",
+                (unsigned long)uid, (unsigned long)gid,
+                (unsigned long)dir_info.st_uid, (unsigned long)dir_info.st_gid,
+                (unsigned long)prg_info.st_uid, (unsigned long)prg_info.st_gid);
         exit(120);
     }
     /*
@@ -585,6 +609,12 @@
 #endif /* AP_SUEXEC_UMASK */
 
     /* Be sure to close the log file so the CGI can't mess with it. */
+#ifdef AP_LOG_SYSLOG
+    if (log_open) {
+        closelog();
+        log_open = 0;
+    }
+#else
     if (log != NULL) {
 #if APR_HAVE_FCNTL_H
         /*
@@ -606,6 +636,7 @@
         log = NULL;
 #endif
     }
+#endif
 
     /*
      * Execute the command, replacing our image with its own.
--- httpd-2.4.2/configure.in
+++ httpd-2.4.2/configure.in
@@ -703,8 +703,25 @@
 
 AC_ARG_WITH(suexec-logfile,
 APACHE_HELP_STRING(--with-suexec-logfile,Set the logfile),[
-  AC_DEFINE_UNQUOTED(AP_LOG_EXEC, "$withval", [SuExec log file] ) ] )
+  if test "x$withval" = "xyes"; then
+    AC_DEFINE_UNQUOTED(AP_LOG_EXEC, "$withval", [SuExec log file])
+  fi
+])
 
+AC_ARG_WITH(suexec-syslog,
+APACHE_HELP_STRING(--with-suexec-syslog,Set the logfile),[
+  if test $withval = "yes"; then
+    if test "x${with_suexec_logfile}" != "xno"; then
+      AC_MSG_NOTICE([hint: use "--without-suexec-logfile --with-suexec-syslog"])
+      AC_MSG_ERROR([suexec does not support both logging to file and syslog])
+    fi
+    AC_CHECK_FUNCS([vsyslog], [], [
+       AC_MSG_ERROR([cannot support syslog from suexec without vsyslog()])])
+    AC_DEFINE(AP_LOG_SYSLOG, 1, [SuExec log to syslog])
+  fi    
+])
+
+
 AC_ARG_WITH(suexec-safepath,
 APACHE_HELP_STRING(--with-suexec-safepath,Set the safepath),[
   AC_DEFINE_UNQUOTED(AP_SAFE_PATH, "$withval", [safe shell path for SuExec] ) ] )
suexec: use syslog rather than suexec.log, drop dac_override capability 2012-05-23 16:01:18 +00:00
			`http://svn.apache.org/viewvc?view=revision&revision=1337344`
			`http://svn.apache.org/viewvc?view=revision&revision=1341905`

			`--- httpd-2.4.2/support/suexec.c`
			`+++ httpd-2.4.2/support/suexec.c`
			`@@ -58,6 +58,10 @@`
			`#include <grp.h>`
			`#endif`

			`+#ifdef AP_LOG_SYSLOG`
			`+#include <syslog.h>`
			`+#endif`
			`+`
			`#if defined(PATH_MAX)`
			`#define AP_MAXPATH PATH_MAX`
			`#elif defined(MAXPATHLEN)`
			`@@ -69,7 +73,12 @@`
			`#define AP_ENVBUF 256`

			`extern char **environ;`
			`+`
			`+#ifdef AP_LOG_SYSLOG`
			`+static int log_open;`
			`+#else`
			`static FILE *log = NULL;`
			`+#endif`

			`static const char *const safe_env_lst[] =`
			`{`
			`@@ -128,10 +137,23 @@`
			`NULL`
			`};`

			`+static void log_err(const char *fmt,...)`
			`+ __attribute__((format(printf,1,2)));`
			`+static void log_no_err(const char *fmt,...)`
			`+ __attribute__((format(printf,1,2)));`
			`+static void err_output(int is_error, const char *fmt, va_list ap)`
			`+ __attribute__((format(printf,2,0)));`

			`static void err_output(int is_error, const char *fmt, va_list ap)`
			`{`
			`-#ifdef AP_LOG_EXEC`
			`+#if defined(AP_LOG_SYSLOG)`
			`+ if (!log_open) {`
			`+ openlog("suexec", LOG_PID, LOG_DAEMON);`
			`+ log_open = 1;`
			`+ }`
			`+`
			`+ vsyslog(is_error ? LOG_ERR : LOG_INFO, fmt, ap);`
			`+#elif defined(AP_LOG_EXEC)`
			`time_t timevar;`
			`struct tm *lt;`

			`@@ -263,7 +285,7 @@`
			`*/`
			`uid = getuid();`
			`if ((pw = getpwuid(uid)) == NULL) {`
			`- log_err("crit: invalid uid: (%ld)\n", uid);`
			`+ log_err("crit: invalid uid: (%lu)\n", (unsigned long)uid);`
			`exit(102);`
			`}`
			`/*`
			`@@ -289,7 +311,9 @@`
			`#ifdef AP_HTTPD_USER`
			`fprintf(stderr, " -D AP_HTTPD_USER=\"%s\"\n", AP_HTTPD_USER);`
			`#endif`
			`-#ifdef AP_LOG_EXEC`
			`+#if defined(AP_LOG_SYSLOG)`
			`+ fprintf(stderr, " -D AP_LOG_SYSLOG\n");`
			`+#elif defined(AP_LOG_EXEC)`
			`fprintf(stderr, " -D AP_LOG_EXEC=\"%s\"\n", AP_LOG_EXEC);`
			`#endif`
			`#ifdef AP_SAFE_PATH`
			`@@ -440,7 +464,7 @@`
			`* a UID less than AP_UID_MIN. Tsk tsk.`
			`*/`
			`if ((uid == 0) \|\| (uid < AP_UID_MIN)) {`
			`- log_err("cannot run as forbidden uid (%d/%s)\n", uid, cmd);`
			`+ log_err("cannot run as forbidden uid (%lu/%s)\n", (unsigned long)uid, cmd);`
			`exit(107);`
			`}`

			`@@ -449,7 +473,7 @@`
			`* or as a GID less than AP_GID_MIN. Tsk tsk.`
			`*/`
			`if ((gid == 0) \|\| (gid < AP_GID_MIN)) {`
			`- log_err("cannot run as forbidden gid (%d/%s)\n", gid, cmd);`
			`+ log_err("cannot run as forbidden gid (%lu/%s)\n", (unsigned long)gid, cmd);`
			`exit(108);`
			`}`

			`@@ -460,7 +484,7 @@`
			`* and setgid() to the target group. If unsuccessful, error out.`
			`*/`
			`if (((setgid(gid)) != 0) \|\| (initgroups(actual_uname, gid) != 0)) {`
			`- log_err("failed to setgid (%ld: %s)\n", gid, cmd);`
			`+ log_err("failed to setgid (%lu: %s)\n", (unsigned long)gid, cmd);`
			`exit(109);`
			`}`

			`@@ -468,7 +492,7 @@`
			`* setuid() to the target user. Error out on fail.`
			`*/`
			`if ((setuid(uid)) != 0) {`
			`- log_err("failed to setuid (%ld: %s)\n", uid, cmd);`
			`+ log_err("failed to setuid (%lu: %s)\n", (unsigned long)uid, cmd);`
			`exit(110);`
			`}`

			`@@ -556,11 +580,11 @@`
			`(gid != dir_info.st_gid) \|\|`
			`(uid != prg_info.st_uid) \|\|`
			`(gid != prg_info.st_gid)) {`
			`- log_err("target uid/gid (%ld/%ld) mismatch "`
			`- "with directory (%ld/%ld) or program (%ld/%ld)\n",`
			`- uid, gid,`
			`- dir_info.st_uid, dir_info.st_gid,`
			`- prg_info.st_uid, prg_info.st_gid);`
			`+ log_err("target uid/gid (%lu/%lu) mismatch "`
			`+ "with directory (%lu/%lu) or program (%lu/%lu)\n",`
			`+ (unsigned long)uid, (unsigned long)gid,`
			`+ (unsigned long)dir_info.st_uid, (unsigned long)dir_info.st_gid,`
			`+ (unsigned long)prg_info.st_uid, (unsigned long)prg_info.st_gid);`
			`exit(120);`
			`}`
			`/*`
			`@@ -585,6 +609,12 @@`
			`#endif /* AP_SUEXEC_UMASK */`

			`/* Be sure to close the log file so the CGI can't mess with it. */`
			`+#ifdef AP_LOG_SYSLOG`
			`+ if (log_open) {`
			`+ closelog();`
			`+ log_open = 0;`
			`+ }`
			`+#else`
			`if (log != NULL) {`
			`#if APR_HAVE_FCNTL_H`
			`/*`
			`@@ -606,6 +636,7 @@`
			`log = NULL;`
			`#endif`
			`}`
			`+#endif`

			`/*`
			`* Execute the command, replacing our image with its own.`
			`--- httpd-2.4.2/configure.in`
			`+++ httpd-2.4.2/configure.in`
			`@@ -703,8 +703,25 @@`

			`AC_ARG_WITH(suexec-logfile,`
			`APACHE_HELP_STRING(--with-suexec-logfile,Set the logfile),[`
			`- AC_DEFINE_UNQUOTED(AP_LOG_EXEC, "$withval", [SuExec log file] ) ] )`
			`+ if test "x$withval" = "xyes"; then`
			`+ AC_DEFINE_UNQUOTED(AP_LOG_EXEC, "$withval", [SuExec log file])`
			`+ fi`
			`+])`

			`+AC_ARG_WITH(suexec-syslog,`
			`+APACHE_HELP_STRING(--with-suexec-syslog,Set the logfile),[`
			`+ if test $withval = "yes"; then`
			`+ if test "x${with_suexec_logfile}" != "xno"; then`
			`+ AC_MSG_NOTICE([hint: use "--without-suexec-logfile --with-suexec-syslog"])`
			`+ AC_MSG_ERROR([suexec does not support both logging to file and syslog])`
			`+ fi`
			`+ AC_CHECK_FUNCS([vsyslog], [], [`
			`+ AC_MSG_ERROR([cannot support syslog from suexec without vsyslog()])])`
			`+ AC_DEFINE(AP_LOG_SYSLOG, 1, [SuExec log to syslog])`
			`+ fi`
			`+])`
			`+`
			`+`
			`AC_ARG_WITH(suexec-safepath,`
			`APACHE_HELP_STRING(--with-suexec-safepath,Set the safepath),[`
			`AC_DEFINE_UNQUOTED(AP_SAFE_PATH, "$withval", [safe shell path for SuExec] ) ] )`