2012-11-13 16:49:42 +00:00
|
|
|
# ./pullrev.sh 1337344 1341905 1342065 1341930
|
2012-05-23 16:01:18 +00:00
|
|
|
|
2012-05-24 08:15:56 +00:00
|
|
|
suexec enhancements:
|
|
|
|
|
|
|
|
1) use syslog for logging
|
|
|
|
2) use capabilities not setuid/setgid root binary
|
|
|
|
|
2012-05-23 16:01:18 +00:00
|
|
|
http://svn.apache.org/viewvc?view=revision&revision=1337344
|
|
|
|
http://svn.apache.org/viewvc?view=revision&revision=1341905
|
2012-05-23 21:48:18 +00:00
|
|
|
http://svn.apache.org/viewvc?view=revision&revision=1342065
|
|
|
|
http://svn.apache.org/viewvc?view=revision&revision=1341930
|
2012-05-31 13:30:39 +00:00
|
|
|
|
2012-11-13 16:32:01 +00:00
|
|
|
--- httpd-2.4.3/configure.in.r1337344+
|
|
|
|
+++ httpd-2.4.3/configure.in
|
|
|
|
@@ -717,7 +717,24 @@ APACHE_HELP_STRING(--with-suexec-gidmin,
|
2012-05-31 15:46:06 +00:00
|
|
|
|
|
|
|
AC_ARG_WITH(suexec-logfile,
|
|
|
|
APACHE_HELP_STRING(--with-suexec-logfile,Set the logfile),[
|
|
|
|
- AC_DEFINE_UNQUOTED(AP_LOG_EXEC, "$withval", [SuExec log file] ) ] )
|
|
|
|
+ if test "x$withval" = "xyes"; then
|
|
|
|
+ AC_DEFINE_UNQUOTED(AP_LOG_EXEC, "$withval", [SuExec log file])
|
|
|
|
+ fi
|
|
|
|
+])
|
|
|
|
+
|
|
|
|
+AC_ARG_WITH(suexec-syslog,
|
|
|
|
+APACHE_HELP_STRING(--with-suexec-syslog,Set the logfile),[
|
|
|
|
+ if test $withval = "yes"; then
|
|
|
|
+ if test "x${with_suexec_logfile}" != "xno"; then
|
|
|
|
+ AC_MSG_NOTICE([hint: use "--without-suexec-logfile --with-suexec-syslog"])
|
|
|
|
+ AC_MSG_ERROR([suexec does not support both logging to file and syslog])
|
|
|
|
+ fi
|
|
|
|
+ AC_CHECK_FUNCS([vsyslog], [], [
|
|
|
|
+ AC_MSG_ERROR([cannot support syslog from suexec without vsyslog()])])
|
|
|
|
+ AC_DEFINE(AP_LOG_SYSLOG, 1, [SuExec log to syslog])
|
|
|
|
+ fi
|
|
|
|
+])
|
|
|
|
+
|
|
|
|
|
|
|
|
AC_ARG_WITH(suexec-safepath,
|
|
|
|
APACHE_HELP_STRING(--with-suexec-safepath,Set the safepath),[
|
2012-11-13 16:32:01 +00:00
|
|
|
@@ -727,6 +744,15 @@ AC_ARG_WITH(suexec-umask,
|
2012-05-31 15:46:06 +00:00
|
|
|
APACHE_HELP_STRING(--with-suexec-umask,umask for suexec'd process),[
|
|
|
|
AC_DEFINE_UNQUOTED(AP_SUEXEC_UMASK, 0$withval, [umask for suexec'd process] ) ] )
|
|
|
|
|
|
|
|
+INSTALL_SUEXEC=setuid
|
|
|
|
+AC_ARG_ENABLE([suexec-capabilities],
|
|
|
|
+APACHE_HELP_STRING(--enable-suexec-capabilities,Use Linux capability bits not setuid root suexec), [
|
|
|
|
+INSTALL_SUEXEC=caps
|
|
|
|
+AC_DEFINE(AP_SUEXEC_CAPABILITIES, 1,
|
|
|
|
+ [Enable if suexec is installed with Linux capabilities, not setuid])
|
|
|
|
+])
|
|
|
|
+APACHE_SUBST(INSTALL_SUEXEC)
|
|
|
|
+
|
|
|
|
dnl APR should go after the other libs, so the right symbols can be picked up
|
|
|
|
if test x${apu_found} != xobsolete; then
|
|
|
|
AP_LIBS="$AP_LIBS `$apu_config --avoid-ldap --link-libtool`"
|
2012-11-13 16:32:01 +00:00
|
|
|
--- httpd-2.4.3/docs/manual/suexec.html.en.r1337344+
|
|
|
|
+++ httpd-2.4.3/docs/manual/suexec.html.en
|
|
|
|
@@ -372,6 +372,21 @@
|
2012-05-31 15:46:06 +00:00
|
|
|
together with the <code>--enable-suexec</code> option to let
|
|
|
|
APACI accept your request for using the suEXEC feature.</dd>
|
|
|
|
|
|
|
|
+ <dt><code>--enable-suexec-capabilities</code></dt>
|
|
|
|
+
|
|
|
|
+ <dd><strong>Linux specific:</strong> Normally,
|
|
|
|
+ the <code>suexec</code> binary is installed "setuid/setgid
|
|
|
|
+ root", which allows it to run with the full privileges of the
|
|
|
|
+ root user. If this option is used, the <code>suexec</code>
|
|
|
|
+ binary will instead be installed with only the setuid/setgid
|
|
|
|
+ "capability" bits set, which is the subset of full root
|
|
|
|
+ priviliges required for suexec operation. Note that
|
|
|
|
+ the <code>suexec</code> binary may not be able to write to a log
|
|
|
|
+ file in this mode; it is recommended that the
|
|
|
|
+ <code>--with-suexec-syslog --without-suexec-logfile</code>
|
|
|
|
+ options are used in conjunction with this mode, so that syslog
|
|
|
|
+ logging is used instead.</dd>
|
|
|
|
+
|
|
|
|
<dt><code>--with-suexec-bin=<em>PATH</em></code></dt>
|
|
|
|
|
|
|
|
<dd>The path to the <code>suexec</code> binary must be hard-coded
|
2012-11-13 16:32:01 +00:00
|
|
|
@@ -433,6 +448,12 @@
|
2012-05-31 15:46:06 +00:00
|
|
|
"<code>suexec_log</code>" and located in your standard logfile
|
|
|
|
directory (<code>--logfiledir</code>).</dd>
|
|
|
|
|
|
|
|
+ <dt><code>--with-suexec-syslog</code></dt>
|
|
|
|
+
|
|
|
|
+ <dd>If defined, suexec will log notices and errors to syslog
|
|
|
|
+ instead of a logfile. This option must be combined
|
|
|
|
+ with <code>--without-suexec-logfile</code>.</dd>
|
|
|
|
+
|
|
|
|
<dt><code>--with-suexec-safepath=<em>PATH</em></code></dt>
|
|
|
|
|
|
|
|
<dd>Define a safe PATH environment to pass to CGI
|
2012-11-13 16:32:01 +00:00
|
|
|
@@ -550,9 +571,12 @@ Group webgroup
|
2012-05-31 15:46:06 +00:00
|
|
|
|
|
|
|
<p>The suEXEC wrapper will write log information
|
|
|
|
to the file defined with the <code>--with-suexec-logfile</code>
|
|
|
|
- option as indicated above. If you feel you have configured and
|
|
|
|
- installed the wrapper properly, have a look at this log and the
|
|
|
|
- error_log for the server to see where you may have gone astray.</p>
|
|
|
|
+ option as indicated above, or to syslog if <code>--with-suexec-syslog</code>
|
|
|
|
+ is used. If you feel you have configured and
|
|
|
|
+ installed the wrapper properly, have a look at the log and the
|
|
|
|
+ error_log for the server to see where you may have gone astray.
|
|
|
|
+ The output of <code>"suexec -V"</code> will show the options
|
|
|
|
+ used to compile suexec, if using a binary distribution.</p>
|
|
|
|
|
|
|
|
</div><div class="top"><a href="#page-header"><img alt="top" src="./images/up.gif" /></a></div>
|
|
|
|
<div class="section">
|
2012-11-13 16:32:01 +00:00
|
|
|
@@ -640,4 +664,4 @@ if (typeof(prettyPrint) !== 'undefined')
|
|
|
|
prettyPrint();
|
|
|
|
}
|
|
|
|
//--><!]]></script>
|
|
|
|
-</body></html>
|
|
|
|
\ No newline at end of file
|
|
|
|
+</body></html>
|
|
|
|
--- httpd-2.4.3/Makefile.in.r1337344+
|
|
|
|
+++ httpd-2.4.3/Makefile.in
|
2012-05-31 15:46:06 +00:00
|
|
|
@@ -236,11 +236,22 @@ install-man:
|
|
|
|
cd $(DESTDIR)$(manualdir) && find . -name ".svn" -type d -print | xargs rm -rf 2>/dev/null || true; \
|
|
|
|
fi
|
|
|
|
|
|
|
|
-install-suexec:
|
|
|
|
+install-suexec: install-suexec-binary install-suexec-$(INSTALL_SUEXEC)
|
|
|
|
+
|
|
|
|
+install-suexec-binary:
|
|
|
|
@if test -f $(builddir)/support/suexec; then \
|
|
|
|
test -d $(DESTDIR)$(sbindir) || $(MKINSTALLDIRS) $(DESTDIR)$(sbindir); \
|
|
|
|
$(INSTALL_PROGRAM) $(top_builddir)/support/suexec $(DESTDIR)$(sbindir); \
|
|
|
|
- chmod 4755 $(DESTDIR)$(sbindir)/suexec; \
|
|
|
|
+ fi
|
|
|
|
+
|
|
|
|
+install-suexec-setuid:
|
|
|
|
+ @if test -f $(builddir)/support/suexec; then \
|
|
|
|
+ chmod 4755 $(DESTDIR)$(sbindir)/suexec; \
|
|
|
|
+ fi
|
|
|
|
+
|
|
|
|
+install-suexec-caps:
|
|
|
|
+ @if test -f $(builddir)/support/suexec; then \
|
2013-01-08 13:16:50 +00:00
|
|
|
+ setcap 'cap_setuid,cap_setgid+pe' $(DESTDIR)$(sbindir)/suexec; \
|
2012-05-31 15:46:06 +00:00
|
|
|
fi
|
|
|
|
|
|
|
|
suexec:
|
2012-11-13 16:32:01 +00:00
|
|
|
--- httpd-2.4.3/modules/arch/unix/mod_unixd.c.r1337344+
|
|
|
|
+++ httpd-2.4.3/modules/arch/unix/mod_unixd.c
|
2012-05-31 15:46:06 +00:00
|
|
|
@@ -284,6 +284,13 @@ unixd_set_suexec(cmd_parms *cmd, void *d
|
|
|
|
return NULL;
|
|
|
|
}
|
|
|
|
|
|
|
|
+#ifdef AP_SUEXEC_CAPABILITIES
|
|
|
|
+/* If suexec is using capabilities, don't test for the setuid bit. */
|
|
|
|
+#define SETUID_TEST(finfo) (1)
|
|
|
|
+#else
|
|
|
|
+#define SETUID_TEST(finfo) (finfo.protection & APR_USETID)
|
|
|
|
+#endif
|
|
|
|
+
|
|
|
|
static int
|
|
|
|
unixd_pre_config(apr_pool_t *pconf, apr_pool_t *plog,
|
|
|
|
apr_pool_t *ptemp)
|
|
|
|
@@ -300,7 +307,7 @@ unixd_pre_config(apr_pool_t *pconf, apr_
|
|
|
|
ap_unixd_config.suexec_enabled = 0;
|
|
|
|
if ((apr_stat(&wrapper, SUEXEC_BIN, APR_FINFO_NORM, ptemp))
|
|
|
|
== APR_SUCCESS) {
|
|
|
|
- if ((wrapper.protection & APR_USETID) && wrapper.user == 0
|
|
|
|
+ if (SETUID_TEST(wrapper) && wrapper.user == 0
|
|
|
|
&& (access(SUEXEC_BIN, R_OK|X_OK) == 0)) {
|
|
|
|
ap_unixd_config.suexec_enabled = 1;
|
|
|
|
ap_unixd_config.suexec_disabled_reason = "";
|
2012-11-13 16:32:01 +00:00
|
|
|
--- httpd-2.4.3/support/suexec.c.r1337344+
|
|
|
|
+++ httpd-2.4.3/support/suexec.c
|
2012-05-23 16:01:18 +00:00
|
|
|
@@ -58,6 +58,10 @@
|
|
|
|
#include <grp.h>
|
|
|
|
#endif
|
|
|
|
|
|
|
|
+#ifdef AP_LOG_SYSLOG
|
|
|
|
+#include <syslog.h>
|
|
|
|
+#endif
|
|
|
|
+
|
|
|
|
#if defined(PATH_MAX)
|
|
|
|
#define AP_MAXPATH PATH_MAX
|
|
|
|
#elif defined(MAXPATHLEN)
|
2012-05-31 13:30:39 +00:00
|
|
|
@@ -69,7 +73,20 @@
|
2012-05-23 16:01:18 +00:00
|
|
|
#define AP_ENVBUF 256
|
|
|
|
|
|
|
|
extern char **environ;
|
|
|
|
+
|
|
|
|
+#ifdef AP_LOG_SYSLOG
|
2012-05-31 13:30:39 +00:00
|
|
|
+/* Syslog support. */
|
|
|
|
+#if !defined(AP_LOG_FACILITY) && defined(LOG_AUTHPRIV)
|
|
|
|
+#define AP_LOG_FACILITY LOG_AUTHPRIV
|
|
|
|
+#elif !defined(AP_LOG_FACILITY)
|
|
|
|
+#define AP_LOG_FACILITY LOG_AUTH
|
|
|
|
+#endif
|
|
|
|
+
|
2012-05-23 16:01:18 +00:00
|
|
|
+static int log_open;
|
|
|
|
+#else
|
2012-05-31 13:30:39 +00:00
|
|
|
+/* Non-syslog support. */
|
2012-05-23 16:01:18 +00:00
|
|
|
static FILE *log = NULL;
|
|
|
|
+#endif
|
|
|
|
|
|
|
|
static const char *const safe_env_lst[] =
|
|
|
|
{
|
2012-05-31 15:46:06 +00:00
|
|
|
@@ -128,10 +145,23 @@ static const char *const safe_env_lst[]
|
2012-05-23 16:01:18 +00:00
|
|
|
NULL
|
|
|
|
};
|
|
|
|
|
|
|
|
+static void log_err(const char *fmt,...)
|
|
|
|
+ __attribute__((format(printf,1,2)));
|
|
|
|
+static void log_no_err(const char *fmt,...)
|
|
|
|
+ __attribute__((format(printf,1,2)));
|
|
|
|
+static void err_output(int is_error, const char *fmt, va_list ap)
|
|
|
|
+ __attribute__((format(printf,2,0)));
|
|
|
|
|
|
|
|
static void err_output(int is_error, const char *fmt, va_list ap)
|
|
|
|
{
|
|
|
|
-#ifdef AP_LOG_EXEC
|
|
|
|
+#if defined(AP_LOG_SYSLOG)
|
|
|
|
+ if (!log_open) {
|
2012-05-31 13:30:39 +00:00
|
|
|
+ openlog("suexec", LOG_PID, AP_LOG_FACILITY);
|
2012-05-23 16:01:18 +00:00
|
|
|
+ log_open = 1;
|
|
|
|
+ }
|
|
|
|
+
|
|
|
|
+ vsyslog(is_error ? LOG_ERR : LOG_INFO, fmt, ap);
|
|
|
|
+#elif defined(AP_LOG_EXEC)
|
|
|
|
time_t timevar;
|
|
|
|
struct tm *lt;
|
|
|
|
|
2012-05-31 15:46:06 +00:00
|
|
|
@@ -263,7 +293,7 @@ int main(int argc, char *argv[])
|
2012-05-23 16:01:18 +00:00
|
|
|
*/
|
|
|
|
uid = getuid();
|
|
|
|
if ((pw = getpwuid(uid)) == NULL) {
|
|
|
|
- log_err("crit: invalid uid: (%ld)\n", uid);
|
|
|
|
+ log_err("crit: invalid uid: (%lu)\n", (unsigned long)uid);
|
|
|
|
exit(102);
|
|
|
|
}
|
|
|
|
/*
|
2012-05-31 15:46:06 +00:00
|
|
|
@@ -289,7 +319,9 @@ int main(int argc, char *argv[])
|
2012-05-23 16:01:18 +00:00
|
|
|
#ifdef AP_HTTPD_USER
|
|
|
|
fprintf(stderr, " -D AP_HTTPD_USER=\"%s\"\n", AP_HTTPD_USER);
|
|
|
|
#endif
|
|
|
|
-#ifdef AP_LOG_EXEC
|
|
|
|
+#if defined(AP_LOG_SYSLOG)
|
|
|
|
+ fprintf(stderr, " -D AP_LOG_SYSLOG\n");
|
|
|
|
+#elif defined(AP_LOG_EXEC)
|
|
|
|
fprintf(stderr, " -D AP_LOG_EXEC=\"%s\"\n", AP_LOG_EXEC);
|
|
|
|
#endif
|
|
|
|
#ifdef AP_SAFE_PATH
|
2012-05-31 15:46:06 +00:00
|
|
|
@@ -440,7 +472,7 @@ int main(int argc, char *argv[])
|
2012-05-23 16:01:18 +00:00
|
|
|
* a UID less than AP_UID_MIN. Tsk tsk.
|
|
|
|
*/
|
|
|
|
if ((uid == 0) || (uid < AP_UID_MIN)) {
|
|
|
|
- log_err("cannot run as forbidden uid (%d/%s)\n", uid, cmd);
|
|
|
|
+ log_err("cannot run as forbidden uid (%lu/%s)\n", (unsigned long)uid, cmd);
|
|
|
|
exit(107);
|
|
|
|
}
|
|
|
|
|
2012-05-31 15:46:06 +00:00
|
|
|
@@ -449,7 +481,7 @@ int main(int argc, char *argv[])
|
2012-05-23 16:01:18 +00:00
|
|
|
* or as a GID less than AP_GID_MIN. Tsk tsk.
|
|
|
|
*/
|
|
|
|
if ((gid == 0) || (gid < AP_GID_MIN)) {
|
|
|
|
- log_err("cannot run as forbidden gid (%d/%s)\n", gid, cmd);
|
|
|
|
+ log_err("cannot run as forbidden gid (%lu/%s)\n", (unsigned long)gid, cmd);
|
|
|
|
exit(108);
|
|
|
|
}
|
|
|
|
|
2012-05-31 15:46:06 +00:00
|
|
|
@@ -460,7 +492,7 @@ int main(int argc, char *argv[])
|
2012-05-23 16:01:18 +00:00
|
|
|
* and setgid() to the target group. If unsuccessful, error out.
|
|
|
|
*/
|
|
|
|
if (((setgid(gid)) != 0) || (initgroups(actual_uname, gid) != 0)) {
|
|
|
|
- log_err("failed to setgid (%ld: %s)\n", gid, cmd);
|
|
|
|
+ log_err("failed to setgid (%lu: %s)\n", (unsigned long)gid, cmd);
|
|
|
|
exit(109);
|
|
|
|
}
|
|
|
|
|
2012-05-31 15:46:06 +00:00
|
|
|
@@ -468,7 +500,7 @@ int main(int argc, char *argv[])
|
2012-05-23 16:01:18 +00:00
|
|
|
* setuid() to the target user. Error out on fail.
|
|
|
|
*/
|
|
|
|
if ((setuid(uid)) != 0) {
|
|
|
|
- log_err("failed to setuid (%ld: %s)\n", uid, cmd);
|
|
|
|
+ log_err("failed to setuid (%lu: %s)\n", (unsigned long)uid, cmd);
|
|
|
|
exit(110);
|
|
|
|
}
|
|
|
|
|
2012-05-31 15:46:06 +00:00
|
|
|
@@ -556,11 +588,11 @@ int main(int argc, char *argv[])
|
2012-05-23 16:01:18 +00:00
|
|
|
(gid != dir_info.st_gid) ||
|
|
|
|
(uid != prg_info.st_uid) ||
|
|
|
|
(gid != prg_info.st_gid)) {
|
|
|
|
- log_err("target uid/gid (%ld/%ld) mismatch "
|
|
|
|
- "with directory (%ld/%ld) or program (%ld/%ld)\n",
|
|
|
|
- uid, gid,
|
|
|
|
- dir_info.st_uid, dir_info.st_gid,
|
|
|
|
- prg_info.st_uid, prg_info.st_gid);
|
|
|
|
+ log_err("target uid/gid (%lu/%lu) mismatch "
|
|
|
|
+ "with directory (%lu/%lu) or program (%lu/%lu)\n",
|
|
|
|
+ (unsigned long)uid, (unsigned long)gid,
|
|
|
|
+ (unsigned long)dir_info.st_uid, (unsigned long)dir_info.st_gid,
|
|
|
|
+ (unsigned long)prg_info.st_uid, (unsigned long)prg_info.st_gid);
|
|
|
|
exit(120);
|
|
|
|
}
|
|
|
|
/*
|
2012-05-31 15:46:06 +00:00
|
|
|
@@ -585,6 +617,12 @@ int main(int argc, char *argv[])
|
2012-05-23 16:01:18 +00:00
|
|
|
#endif /* AP_SUEXEC_UMASK */
|
|
|
|
|
|
|
|
/* Be sure to close the log file so the CGI can't mess with it. */
|
|
|
|
+#ifdef AP_LOG_SYSLOG
|
|
|
|
+ if (log_open) {
|
|
|
|
+ closelog();
|
|
|
|
+ log_open = 0;
|
|
|
|
+ }
|
|
|
|
+#else
|
|
|
|
if (log != NULL) {
|
|
|
|
#if APR_HAVE_FCNTL_H
|
|
|
|
/*
|
2012-05-31 15:46:06 +00:00
|
|
|
@@ -606,6 +644,7 @@ int main(int argc, char *argv[])
|
2012-05-23 16:01:18 +00:00
|
|
|
log = NULL;
|
|
|
|
#endif
|
|
|
|
}
|
|
|
|
+#endif
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Execute the command, replacing our image with its own.
|