rpms/httpd
7
0
Fork 0
Code Issues Pull Requests Releases Activity

suexec: use syslog rather than suexec.log, drop dac_override capability

Browse Source
This commit is contained in:
Joe Orton 2012-05-23 17:01:18 +01:00
parent f04e6633be
commit 22bfb45d02
2 changed files with 187 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

178
httpd-2.4.2-r1337344+.patch Normal file
View File

@ -0,0 +1,178 @@
http://svn.apache.org/viewvc?view=revision&revision=1337344
http://svn.apache.org/viewvc?view=revision&revision=1341905
--- httpd-2.4.2/support/suexec.c
+++ httpd-2.4.2/support/suexec.c
@@ -58,6 +58,10 @@
#include <grp.h>
#endif
+#ifdef AP_LOG_SYSLOG
+#include <syslog.h>
+#endif
+
#if defined(PATH_MAX)
#define AP_MAXPATH PATH_MAX
#elif defined(MAXPATHLEN)
@@ -69,7 +73,12 @@
#define AP_ENVBUF 256
extern char **environ;
+
+#ifdef AP_LOG_SYSLOG
+static int log_open;
+#else
static FILE *log = NULL;
+#endif
static const char *const safe_env_lst[] =
{
@@ -128,10 +137,23 @@
NULL
};
+static void log_err(const char *fmt,...)
+ __attribute__((format(printf,1,2)));
+static void log_no_err(const char *fmt,...)
+ __attribute__((format(printf,1,2)));
+static void err_output(int is_error, const char *fmt, va_list ap)
+ __attribute__((format(printf,2,0)));
static void err_output(int is_error, const char *fmt, va_list ap)
{
-#ifdef AP_LOG_EXEC
+#if defined(AP_LOG_SYSLOG)
+ if (!log_open) {
+ openlog("suexec", LOG_PID, LOG_DAEMON);
+ log_open = 1;
+ }
+
+ vsyslog(is_error ? LOG_ERR : LOG_INFO, fmt, ap);
+#elif defined(AP_LOG_EXEC)
time_t timevar;
struct tm *lt;
@@ -263,7 +285,7 @@
*/
uid = getuid();
if ((pw = getpwuid(uid)) == NULL) {
- log_err("crit: invalid uid: (%ld)\n", uid);
+ log_err("crit: invalid uid: (%lu)\n", (unsigned long)uid);
exit(102);
}
/*
@@ -289,7 +311,9 @@
#ifdef AP_HTTPD_USER
fprintf(stderr, " -D AP_HTTPD_USER=\"%s\"\n", AP_HTTPD_USER);
#endif
-#ifdef AP_LOG_EXEC
+#if defined(AP_LOG_SYSLOG)
+ fprintf(stderr, " -D AP_LOG_SYSLOG\n");
+#elif defined(AP_LOG_EXEC)
fprintf(stderr, " -D AP_LOG_EXEC=\"%s\"\n", AP_LOG_EXEC);
#endif
#ifdef AP_SAFE_PATH
@@ -440,7 +464,7 @@
* a UID less than AP_UID_MIN. Tsk tsk.
*/
if ((uid == 0) || (uid < AP_UID_MIN)) {
- log_err("cannot run as forbidden uid (%d/%s)\n", uid, cmd);
+ log_err("cannot run as forbidden uid (%lu/%s)\n", (unsigned long)uid, cmd);
exit(107);
}
@@ -449,7 +473,7 @@
* or as a GID less than AP_GID_MIN. Tsk tsk.
*/
if ((gid == 0) || (gid < AP_GID_MIN)) {
- log_err("cannot run as forbidden gid (%d/%s)\n", gid, cmd);
+ log_err("cannot run as forbidden gid (%lu/%s)\n", (unsigned long)gid, cmd);
exit(108);
}
@@ -460,7 +484,7 @@
* and setgid() to the target group. If unsuccessful, error out.
*/
if (((setgid(gid)) != 0) || (initgroups(actual_uname, gid) != 0)) {
- log_err("failed to setgid (%ld: %s)\n", gid, cmd);
+ log_err("failed to setgid (%lu: %s)\n", (unsigned long)gid, cmd);
exit(109);
}
@@ -468,7 +492,7 @@
* setuid() to the target user. Error out on fail.
*/
if ((setuid(uid)) != 0) {
- log_err("failed to setuid (%ld: %s)\n", uid, cmd);
+ log_err("failed to setuid (%lu: %s)\n", (unsigned long)uid, cmd);
exit(110);
}
@@ -556,11 +580,11 @@
(gid != dir_info.st_gid) ||
(uid != prg_info.st_uid) ||
(gid != prg_info.st_gid)) {
- log_err("target uid/gid (%ld/%ld) mismatch "
- "with directory (%ld/%ld) or program (%ld/%ld)\n",
- uid, gid,
- dir_info.st_uid, dir_info.st_gid,
- prg_info.st_uid, prg_info.st_gid);
+ log_err("target uid/gid (%lu/%lu) mismatch "
+ "with directory (%lu/%lu) or program (%lu/%lu)\n",
+ (unsigned long)uid, (unsigned long)gid,
+ (unsigned long)dir_info.st_uid, (unsigned long)dir_info.st_gid,
+ (unsigned long)prg_info.st_uid, (unsigned long)prg_info.st_gid);
exit(120);
}
/*
@@ -585,6 +609,12 @@
#endif /* AP_SUEXEC_UMASK */
/* Be sure to close the log file so the CGI can't mess with it. */
+#ifdef AP_LOG_SYSLOG
+ if (log_open) {
+ closelog();
+ log_open = 0;
+ }
+#else
if (log != NULL) {
#if APR_HAVE_FCNTL_H
/*
@@ -606,6 +636,7 @@
log = NULL;
#endif
}
+#endif
/*
* Execute the command, replacing our image with its own.
--- httpd-2.4.2/configure.in
+++ httpd-2.4.2/configure.in
@@ -703,8 +703,25 @@
AC_ARG_WITH(suexec-logfile,
APACHE_HELP_STRING(--with-suexec-logfile,Set the logfile),[
- AC_DEFINE_UNQUOTED(AP_LOG_EXEC, "$withval", [SuExec log file] ) ] )
+ if test "x$withval" = "xyes"; then
+ AC_DEFINE_UNQUOTED(AP_LOG_EXEC, "$withval", [SuExec log file])
+ fi
+])
+AC_ARG_WITH(suexec-syslog,
+APACHE_HELP_STRING(--with-suexec-syslog,Set the logfile),[
+ if test $withval = "yes"; then
+ if test "x${with_suexec_logfile}" != "xno"; then
+ AC_MSG_NOTICE([hint: use "--without-suexec-logfile --with-suexec-syslog"])
+ AC_MSG_ERROR([suexec does not support both logging to file and syslog])
+ fi
+ AC_CHECK_FUNCS([vsyslog], [], [
+ AC_MSG_ERROR([cannot support syslog from suexec without vsyslog()])])
+ AC_DEFINE(AP_LOG_SYSLOG, 1, [SuExec log to syslog])
+ fi
+])
+
+
AC_ARG_WITH(suexec-safepath,
APACHE_HELP_STRING(--with-suexec-safepath,Set the safepath),[
AC_DEFINE_UNQUOTED(AP_SAFE_PATH, "$withval", [safe shell path for SuExec] ) ] )

13
httpd.spec
View File

@ -8,7 +8,7 @@
Summary: Apache HTTP Server Summary: Apache HTTP Server
Name: httpd Name: httpd
Version: 2.4.2 Version: 2.4.2
Release: 7%{?dist} Release: 8%{?dist}
URL: http://httpd.apache.org/ URL: http://httpd.apache.org/
Source0: http://www.apache.org/dist/httpd/httpd-%{version}.tar.bz2 Source0: http://www.apache.org/dist/httpd/httpd-%{version}.tar.bz2
Source1: index.html Source1: index.html
@ -44,6 +44,7 @@ Patch23: httpd-2.4.1-export.patch
Patch24: httpd-2.4.1-corelimit.patch Patch24: httpd-2.4.1-corelimit.patch
Patch25: httpd-2.4.1-selinux.patch Patch25: httpd-2.4.1-selinux.patch
Patch26: httpd-2.4.1-suenable.patch Patch26: httpd-2.4.1-suenable.patch
Patch27: httpd-2.4.2-r1337344+.patch
# Bug fixes # Bug fixes
Patch40: httpd-2.4.2-restart.patch Patch40: httpd-2.4.2-restart.patch
Patch41: httpd-2.4.2-r1327036+.patch Patch41: httpd-2.4.2-r1327036+.patch
@ -154,6 +155,7 @@ authentication to the Apache HTTP Server.
%patch24 -p1 -b .corelimit %patch24 -p1 -b .corelimit
%patch25 -p1 -b .selinux %patch25 -p1 -b .selinux
%patch26 -p1 -b .suenable %patch26 -p1 -b .suenable
%patch27 -p1 -b .r1337344+
%patch40 -p1 -b .restart %patch40 -p1 -b .restart
%patch41 -p1 -b .r1327036+ %patch41 -p1 -b .r1327036+
@ -209,7 +211,8 @@ export LYNX_PATH=/usr/bin/links
--enable-suexec --with-suexec \ --enable-suexec --with-suexec \
--with-suexec-caller=%{suexec_caller} \ --with-suexec-caller=%{suexec_caller} \
--with-suexec-docroot=%{docroot} \ --with-suexec-docroot=%{docroot} \
--with-suexec-logfile=%{_localstatedir}/log/httpd/suexec.log \ --without-suexec-logfile \
--with-suexec-syslog \
--with-suexec-bin=%{_sbindir}/suexec \ --with-suexec-bin=%{_sbindir}/suexec \
--with-suexec-uidmin=500 --with-suexec-gidmin=100 \ --with-suexec-uidmin=500 --with-suexec-gidmin=100 \
--enable-pie \ --enable-pie \
@ -485,8 +488,7 @@ rm -rf $RPM_BUILD_ROOT
%{_sbindir}/fcgistarter %{_sbindir}/fcgistarter
%{_sbindir}/apachectl %{_sbindir}/apachectl
%{_sbindir}/rotatelogs %{_sbindir}/rotatelogs
# cap_dac_override needed to write to /var/log/httpd %caps(cap_setuid,cap_setgid+pe) %attr(510,root,%{suexec_caller}) %{_sbindir}/suexec
%caps(cap_setuid,cap_setgid,cap_dac_override+pe) %attr(510,root,%{suexec_caller}) %{_sbindir}/suexec
%dir %{_libdir}/httpd %dir %{_libdir}/httpd
%dir %{_libdir}/httpd/modules %dir %{_libdir}/httpd/modules
@ -562,6 +564,9 @@ rm -rf $RPM_BUILD_ROOT
%{_sysconfdir}/rpm/macros.httpd %{_sysconfdir}/rpm/macros.httpd
%changelog %changelog
* Wed May 23 2012 Joe Orton <jorton@redhat.com> - 2.4.2-8
- suexec: use syslog rather than suexec.log, drop dac_override capability
* Tue May 1 2012 Joe Orton <jorton@redhat.com> - 2.4.2-7 * Tue May 1 2012 Joe Orton <jorton@redhat.com> - 2.4.2-7
- mod_ssl: add TLS NPN support (r1332643, #809599) - mod_ssl: add TLS NPN support (r1332643, #809599)