suexec: use syslog rather than suexec.log, drop dac_override capability

httpd-2.4.2-r1337344+.patch

@@ -0,0 +1,178 @@
+
+http://svn.apache.org/viewvc?view=revision&revision=1337344
+http://svn.apache.org/viewvc?view=revision&revision=1341905
+
+--- httpd-2.4.2/support/suexec.c
++++ httpd-2.4.2/support/suexec.c
+@@ -58,6 +58,10 @@
+ #include <grp.h>
+ #endif
+ 
++#ifdef AP_LOG_SYSLOG
++#include <syslog.h>
++#endif
++
+ #if defined(PATH_MAX)
+ #define AP_MAXPATH PATH_MAX
+ #elif defined(MAXPATHLEN)
+@@ -69,7 +73,12 @@
+ #define AP_ENVBUF 256
+ 
+ extern char **environ;
++
++#ifdef AP_LOG_SYSLOG
++static int log_open;
++#else
+ static FILE *log = NULL;
++#endif
+ 
+ static const char *const safe_env_lst[] =
+ {
+@@ -128,10 +137,23 @@
+     NULL
+ };
+ 
++static void log_err(const char *fmt,...) 
++    __attribute__((format(printf,1,2)));
++static void log_no_err(const char *fmt,...)  
++    __attribute__((format(printf,1,2)));
++static void err_output(int is_error, const char *fmt, va_list ap) 
++    __attribute__((format(printf,2,0)));
+ 
+ static void err_output(int is_error, const char *fmt, va_list ap)
+ {
+-#ifdef AP_LOG_EXEC
++#if defined(AP_LOG_SYSLOG)
++    if (!log_open) {
++        openlog("suexec", LOG_PID, LOG_DAEMON);
++        log_open = 1;
++    }
++
++    vsyslog(is_error ? LOG_ERR : LOG_INFO, fmt, ap);
++#elif defined(AP_LOG_EXEC)
+     time_t timevar;
+     struct tm *lt;
+ 
+@@ -263,7 +285,7 @@
+      */
+     uid = getuid();
+     if ((pw = getpwuid(uid)) == NULL) {
+-        log_err("crit: invalid uid: (%ld)\n", uid);
++        log_err("crit: invalid uid: (%lu)\n", (unsigned long)uid);
+         exit(102);
+     }
+     /*
+@@ -289,7 +311,9 @@
+ #ifdef AP_HTTPD_USER
+         fprintf(stderr, " -D AP_HTTPD_USER=\"%s\"\n", AP_HTTPD_USER);
+ #endif
+-#ifdef AP_LOG_EXEC
++#if defined(AP_LOG_SYSLOG)
++        fprintf(stderr, " -D AP_LOG_SYSLOG\n");
++#elif defined(AP_LOG_EXEC)
+         fprintf(stderr, " -D AP_LOG_EXEC=\"%s\"\n", AP_LOG_EXEC);
+ #endif
+ #ifdef AP_SAFE_PATH
+@@ -440,7 +464,7 @@
+      * a UID less than AP_UID_MIN.  Tsk tsk.
+      */
+     if ((uid == 0) || (uid < AP_UID_MIN)) {
+-        log_err("cannot run as forbidden uid (%d/%s)\n", uid, cmd);
++        log_err("cannot run as forbidden uid (%lu/%s)\n", (unsigned long)uid, cmd);
+         exit(107);
+     }
+ 
+@@ -449,7 +473,7 @@
+      * or as a GID less than AP_GID_MIN.  Tsk tsk.
+      */
+     if ((gid == 0) || (gid < AP_GID_MIN)) {
+-        log_err("cannot run as forbidden gid (%d/%s)\n", gid, cmd);
++        log_err("cannot run as forbidden gid (%lu/%s)\n", (unsigned long)gid, cmd);
+         exit(108);
+     }
+ 
+@@ -460,7 +484,7 @@
+      * and setgid() to the target group. If unsuccessful, error out.
+      */
+     if (((setgid(gid)) != 0) || (initgroups(actual_uname, gid) != 0)) {
+-        log_err("failed to setgid (%ld: %s)\n", gid, cmd);
++        log_err("failed to setgid (%lu: %s)\n", (unsigned long)gid, cmd);
+         exit(109);
+     }
+ 
+@@ -468,7 +492,7 @@
+      * setuid() to the target user.  Error out on fail.
+      */
+     if ((setuid(uid)) != 0) {
+-        log_err("failed to setuid (%ld: %s)\n", uid, cmd);
++        log_err("failed to setuid (%lu: %s)\n", (unsigned long)uid, cmd);
+         exit(110);
+     }
+ 
+@@ -556,11 +580,11 @@
+         (gid != dir_info.st_gid) ||
+         (uid != prg_info.st_uid) ||
+         (gid != prg_info.st_gid)) {
+-        log_err("target uid/gid (%ld/%ld) mismatch "
+-                "with directory (%ld/%ld) or program (%ld/%ld)\n",
+-                uid, gid,
+-                dir_info.st_uid, dir_info.st_gid,
+-                prg_info.st_uid, prg_info.st_gid);
++        log_err("target uid/gid (%lu/%lu) mismatch "
++                "with directory (%lu/%lu) or program (%lu/%lu)\n",
++                (unsigned long)uid, (unsigned long)gid,
++                (unsigned long)dir_info.st_uid, (unsigned long)dir_info.st_gid,
++                (unsigned long)prg_info.st_uid, (unsigned long)prg_info.st_gid);
+         exit(120);
+     }
+     /*
+@@ -585,6 +609,12 @@
+ #endif /* AP_SUEXEC_UMASK */
+ 
+     /* Be sure to close the log file so the CGI can't mess with it. */
++#ifdef AP_LOG_SYSLOG
++    if (log_open) {
++        closelog();
++        log_open = 0;
++    }
++#else
+     if (log != NULL) {
+ #if APR_HAVE_FCNTL_H
+         /*
+@@ -606,6 +636,7 @@
+         log = NULL;
+ #endif
+     }
++#endif
+ 
+     /*
+      * Execute the command, replacing our image with its own.
+--- httpd-2.4.2/configure.in
++++ httpd-2.4.2/configure.in
+@@ -703,8 +703,25 @@
+ 
+ AC_ARG_WITH(suexec-logfile,
+ APACHE_HELP_STRING(--with-suexec-logfile,Set the logfile),[
+-  AC_DEFINE_UNQUOTED(AP_LOG_EXEC, "$withval", [SuExec log file] ) ] )
++  if test "x$withval" = "xyes"; then
++    AC_DEFINE_UNQUOTED(AP_LOG_EXEC, "$withval", [SuExec log file])
++  fi
++])
+ 
++AC_ARG_WITH(suexec-syslog,
++APACHE_HELP_STRING(--with-suexec-syslog,Set the logfile),[
++  if test $withval = "yes"; then
++    if test "x${with_suexec_logfile}" != "xno"; then
++      AC_MSG_NOTICE([hint: use "--without-suexec-logfile --with-suexec-syslog"])
++      AC_MSG_ERROR([suexec does not support both logging to file and syslog])
++    fi
++    AC_CHECK_FUNCS([vsyslog], [], [
++       AC_MSG_ERROR([cannot support syslog from suexec without vsyslog()])])
++    AC_DEFINE(AP_LOG_SYSLOG, 1, [SuExec log to syslog])
++  fi    
++])
++
++
+ AC_ARG_WITH(suexec-safepath,
+ APACHE_HELP_STRING(--with-suexec-safepath,Set the safepath),[
+   AC_DEFINE_UNQUOTED(AP_SAFE_PATH, "$withval", [safe shell path for SuExec] ) ] )

httpd.spec

@@ -8,7 +8,7 @@
 Summary: Apache HTTP Server
 Name: httpd
 Version: 2.4.2
-Release: 7%{?dist}
+Release: 8%{?dist}
 URL: http://httpd.apache.org/
 Source0: http://www.apache.org/dist/httpd/httpd-%{version}.tar.bz2
 Source1: index.html
@@ -44,6 +44,7 @@ Patch23: httpd-2.4.1-export.patch
 Patch24: httpd-2.4.1-corelimit.patch
 Patch25: httpd-2.4.1-selinux.patch
 Patch26: httpd-2.4.1-suenable.patch
+Patch27: httpd-2.4.2-r1337344+.patch
 # Bug fixes
 Patch40: httpd-2.4.2-restart.patch
 Patch41: httpd-2.4.2-r1327036+.patch
@@ -154,6 +155,7 @@ authentication to the Apache HTTP Server.
 %patch24 -p1 -b .corelimit
 %patch25 -p1 -b .selinux
 %patch26 -p1 -b .suenable
+%patch27 -p1 -b .r1337344+
 
 %patch40 -p1 -b .restart
 %patch41 -p1 -b .r1327036+
@@ -209,7 +211,8 @@ export LYNX_PATH=/usr/bin/links
 	--enable-suexec --with-suexec \
 	--with-suexec-caller=%{suexec_caller} \
 	--with-suexec-docroot=%{docroot} \
-	--with-suexec-logfile=%{_localstatedir}/log/httpd/suexec.log \
+	--without-suexec-logfile \
+        --with-suexec-syslog \
 	--with-suexec-bin=%{_sbindir}/suexec \
 	--with-suexec-uidmin=500 --with-suexec-gidmin=100 \
         --enable-pie \
@@ -485,8 +488,7 @@ rm -rf $RPM_BUILD_ROOT
 %{_sbindir}/fcgistarter
 %{_sbindir}/apachectl
 %{_sbindir}/rotatelogs
-# cap_dac_override needed to write to /var/log/httpd
-%caps(cap_setuid,cap_setgid,cap_dac_override+pe) %attr(510,root,%{suexec_caller}) %{_sbindir}/suexec
+%caps(cap_setuid,cap_setgid+pe) %attr(510,root,%{suexec_caller}) %{_sbindir}/suexec
 
 %dir %{_libdir}/httpd
 %dir %{_libdir}/httpd/modules
@@ -562,6 +564,9 @@ rm -rf $RPM_BUILD_ROOT
 %{_sysconfdir}/rpm/macros.httpd
 
 %changelog
+* Wed May 23 2012 Joe Orton <jorton@redhat.com> - 2.4.2-8
+- suexec: use syslog rather than suexec.log, drop dac_override capability
+
 * Tue May  1 2012 Joe Orton <jorton@redhat.com> - 2.4.2-7
 - mod_ssl: add TLS NPN support (r1332643, #809599)