diff --git a/httpd-2.4.2-r1337344+.patch b/httpd-2.4.2-r1337344+.patch index d569dbf..df277dd 100644 --- a/httpd-2.4.2-r1337344+.patch +++ b/httpd-2.4.2-r1337344+.patch @@ -1,3 +1,4 @@ +# ./pullrev.sh 1337344 1341905 1342065 1341930 1344712 suexec enhancements: @@ -9,9 +10,181 @@ http://svn.apache.org/viewvc?view=revision&revision=1341905 http://svn.apache.org/viewvc?view=revision&revision=1342065 http://svn.apache.org/viewvc?view=revision&revision=1341930 ---- httpd-2.4.2/configure.in.r1337344+ +http://svn.apache.org/viewvc?view=revision&revision=1344712 + +--- httpd-2.4.2/support/suexec.c ++++ httpd-2.4.2/support/suexec.c +@@ -58,6 +58,10 @@ + #include + #endif + ++#ifdef AP_LOG_SYSLOG ++#include ++#endif ++ + #if defined(PATH_MAX) + #define AP_MAXPATH PATH_MAX + #elif defined(MAXPATHLEN) +@@ -69,7 +73,20 @@ + #define AP_ENVBUF 256 + + extern char **environ; ++ ++#ifdef AP_LOG_SYSLOG ++/* Syslog support. */ ++#if !defined(AP_LOG_FACILITY) && defined(LOG_AUTHPRIV) ++#define AP_LOG_FACILITY LOG_AUTHPRIV ++#elif !defined(AP_LOG_FACILITY) ++#define AP_LOG_FACILITY LOG_AUTH ++#endif ++ ++static int log_open; ++#else ++/* Non-syslog support. */ + static FILE *log = NULL; ++#endif + + static const char *const safe_env_lst[] = + { +@@ -128,10 +145,23 @@ + NULL + }; + ++static void log_err(const char *fmt,...) ++ __attribute__((format(printf,1,2))); ++static void log_no_err(const char *fmt,...) ++ __attribute__((format(printf,1,2))); ++static void err_output(int is_error, const char *fmt, va_list ap) ++ __attribute__((format(printf,2,0))); + + static void err_output(int is_error, const char *fmt, va_list ap) + { +-#ifdef AP_LOG_EXEC ++#if defined(AP_LOG_SYSLOG) ++ if (!log_open) { ++ openlog("suexec", LOG_PID, AP_LOG_FACILITY); ++ log_open = 1; ++ } ++ ++ vsyslog(is_error ? LOG_ERR : LOG_INFO, fmt, ap); ++#elif defined(AP_LOG_EXEC) + time_t timevar; + struct tm *lt; + +@@ -263,7 +293,7 @@ + */ + uid = getuid(); + if ((pw = getpwuid(uid)) == NULL) { +- log_err("crit: invalid uid: (%ld)\n", uid); ++ log_err("crit: invalid uid: (%lu)\n", (unsigned long)uid); + exit(102); + } + /* +@@ -289,7 +319,9 @@ + #ifdef AP_HTTPD_USER + fprintf(stderr, " -D AP_HTTPD_USER=\"%s\"\n", AP_HTTPD_USER); + #endif +-#ifdef AP_LOG_EXEC ++#if defined(AP_LOG_SYSLOG) ++ fprintf(stderr, " -D AP_LOG_SYSLOG\n"); ++#elif defined(AP_LOG_EXEC) + fprintf(stderr, " -D AP_LOG_EXEC=\"%s\"\n", AP_LOG_EXEC); + #endif + #ifdef AP_SAFE_PATH +@@ -440,7 +472,7 @@ + * a UID less than AP_UID_MIN. Tsk tsk. + */ + if ((uid == 0) || (uid < AP_UID_MIN)) { +- log_err("cannot run as forbidden uid (%d/%s)\n", uid, cmd); ++ log_err("cannot run as forbidden uid (%lu/%s)\n", (unsigned long)uid, cmd); + exit(107); + } + +@@ -449,7 +481,7 @@ + * or as a GID less than AP_GID_MIN. Tsk tsk. + */ + if ((gid == 0) || (gid < AP_GID_MIN)) { +- log_err("cannot run as forbidden gid (%d/%s)\n", gid, cmd); ++ log_err("cannot run as forbidden gid (%lu/%s)\n", (unsigned long)gid, cmd); + exit(108); + } + +@@ -460,7 +492,7 @@ + * and setgid() to the target group. If unsuccessful, error out. + */ + if (((setgid(gid)) != 0) || (initgroups(actual_uname, gid) != 0)) { +- log_err("failed to setgid (%ld: %s)\n", gid, cmd); ++ log_err("failed to setgid (%lu: %s)\n", (unsigned long)gid, cmd); + exit(109); + } + +@@ -468,7 +500,7 @@ + * setuid() to the target user. Error out on fail. + */ + if ((setuid(uid)) != 0) { +- log_err("failed to setuid (%ld: %s)\n", uid, cmd); ++ log_err("failed to setuid (%lu: %s)\n", (unsigned long)uid, cmd); + exit(110); + } + +@@ -556,11 +588,11 @@ + (gid != dir_info.st_gid) || + (uid != prg_info.st_uid) || + (gid != prg_info.st_gid)) { +- log_err("target uid/gid (%ld/%ld) mismatch " +- "with directory (%ld/%ld) or program (%ld/%ld)\n", +- uid, gid, +- dir_info.st_uid, dir_info.st_gid, +- prg_info.st_uid, prg_info.st_gid); ++ log_err("target uid/gid (%lu/%lu) mismatch " ++ "with directory (%lu/%lu) or program (%lu/%lu)\n", ++ (unsigned long)uid, (unsigned long)gid, ++ (unsigned long)dir_info.st_uid, (unsigned long)dir_info.st_gid, ++ (unsigned long)prg_info.st_uid, (unsigned long)prg_info.st_gid); + exit(120); + } + /* +@@ -585,6 +617,12 @@ + #endif /* AP_SUEXEC_UMASK */ + + /* Be sure to close the log file so the CGI can't mess with it. */ ++#ifdef AP_LOG_SYSLOG ++ if (log_open) { ++ closelog(); ++ log_open = 0; ++ } ++#else + if (log != NULL) { + #if APR_HAVE_FCNTL_H + /* +@@ -606,6 +644,7 @@ + log = NULL; + #endif + } ++#endif + + /* + * Execute the command, replacing our image with its own. +--- httpd-2.4.2/CHANGES ++++ httpd-2.4.2/CHANGES +@@ -1,6 +1,14 @@ + -*- coding: utf-8 -*- + Changes with Apache 2.5.0 + ++ *) suexec: Add --enable-suexec-capabilites support on Linux, to use ++ setuid/setgid capability bits rather than a setuid root binary. ++ [Joe Orton] ++ ++ *) suexec: Add support for logging to syslog as an alternative to ++ logging to a file; use --without-suexec-logfile --with-suexec-syslog. ++ [Joe Orton] ++ + *) mod_proxy_ajp: Reduce memory usage in case of many keep-alive requests on + one connection. PR 52275. [Naohiro Ooiwa ] + +--- httpd-2.4.2/configure.in +++ httpd-2.4.2/configure.in -@@ -700,7 +700,24 @@ APACHE_HELP_STRING(--with-suexec-gidmin, +@@ -703,7 +703,24 @@ AC_ARG_WITH(suexec-logfile, APACHE_HELP_STRING(--with-suexec-logfile,Set the logfile),[ @@ -37,7 +210,7 @@ http://svn.apache.org/viewvc?view=revision&revision=1341930 AC_ARG_WITH(suexec-safepath, APACHE_HELP_STRING(--with-suexec-safepath,Set the safepath),[ -@@ -710,6 +727,15 @@ AC_ARG_WITH(suexec-umask, +@@ -721,6 +738,15 @@ APACHE_HELP_STRING(--with-suexec-umask,umask for suexec'd process),[ AC_DEFINE_UNQUOTED(AP_SUEXEC_UMASK, 0$withval, [umask for suexec'd process] ) ] ) @@ -52,10 +225,39 @@ http://svn.apache.org/viewvc?view=revision&revision=1341930 + dnl APR should go after the other libs, so the right symbols can be picked up if test x${apu_found} != xobsolete; then - AP_LIBS="$AP_LIBS `$apu_config --avoid-ldap --link-libtool`" ---- httpd-2.4.2/docs/manual/suexec.html.en.r1337344+ + AP_LIBS="$AP_LIBS `$apu_config --avoid-ldap --link-libtool --libs`" +--- httpd-2.4.2/Makefile.in ++++ httpd-2.4.2/Makefile.in +@@ -233,13 +233,24 @@ + cd $(DESTDIR)$(manualdir) && find . -name ".svn" -type d -print | xargs rm -rf 2>/dev/null || true; \ + fi + +-install-suexec: ++install-suexec: install-suexec-binary install-suexec-$(INSTALL_SUEXEC) ++ ++install-suexec-binary: + @if test -f $(builddir)/support/suexec; then \ + test -d $(DESTDIR)$(sbindir) || $(MKINSTALLDIRS) $(DESTDIR)$(sbindir); \ + $(INSTALL_PROGRAM) $(top_builddir)/support/suexec $(DESTDIR)$(sbindir); \ +- chmod 4755 $(DESTDIR)$(sbindir)/suexec; \ + fi + ++install-suexec-setuid: ++ @if test -f $(builddir)/support/suexec; then \ ++ chmod 4755 $(DESTDIR)$(sbindir)/suexec; \ ++ fi ++ ++install-suexec-caps: ++ @if test -f $(builddir)/support/suexec; then \ ++ setcap 'cap_setuid,cap_setgid+pe' $(DESTDIR)$(sbindir)/suexec; \ ++ fi ++ + suexec: + cd support && $(MAKE) suexec + +--- httpd-2.4.2/docs/manual/suexec.html.en +++ httpd-2.4.2/docs/manual/suexec.html.en -@@ -369,6 +369,21 @@ +@@ -372,6 +372,21 @@ together with the --enable-suexec option to let APACI accept your request for using the suEXEC feature. @@ -77,7 +279,7 @@ http://svn.apache.org/viewvc?view=revision&revision=1341930
--with-suexec-bin=PATH
The path to the suexec binary must be hard-coded -@@ -430,6 +445,12 @@ +@@ -418,6 +433,12 @@ "suexec_log" and located in your standard logfile directory (--logfiledir).
@@ -90,7 +292,7 @@ http://svn.apache.org/viewvc?view=revision&revision=1341930
--with-suexec-safepath=PATH
Define a safe PATH environment to pass to CGI -@@ -546,9 +567,12 @@ +@@ -535,9 +556,12 @@

The suEXEC wrapper will write log information to the file defined with the --with-suexec-logfile @@ -106,43 +308,13 @@ http://svn.apache.org/viewvc?view=revision&revision=1341930

top
-@@ -615,4 +639,4 @@ -
+@@ -629 +653 @@ - \ No newline at end of file + ---- httpd-2.4.2/Makefile.in.r1337344+ -+++ httpd-2.4.2/Makefile.in -@@ -236,11 +236,22 @@ install-man: - cd $(DESTDIR)$(manualdir) && find . -name ".svn" -type d -print | xargs rm -rf 2>/dev/null || true; \ - fi - --install-suexec: -+install-suexec: install-suexec-binary install-suexec-$(INSTALL_SUEXEC) -+ -+install-suexec-binary: - @if test -f $(builddir)/support/suexec; then \ - test -d $(DESTDIR)$(sbindir) || $(MKINSTALLDIRS) $(DESTDIR)$(sbindir); \ - $(INSTALL_PROGRAM) $(top_builddir)/support/suexec $(DESTDIR)$(sbindir); \ -- chmod 4755 $(DESTDIR)$(sbindir)/suexec; \ -+ fi -+ -+install-suexec-setuid: -+ @if test -f $(builddir)/support/suexec; then \ -+ chmod 4755 $(DESTDIR)$(sbindir)/suexec; \ -+ fi -+ -+install-suexec-caps: -+ @if test -f $(builddir)/support/suexec; then \ -+ setcap 'cap_setuid,cap_setgid+pe' $(DESTDIR)$(sbindir)/suexec; \ - fi - - suexec: ---- httpd-2.4.2/modules/arch/unix/mod_unixd.c.r1337344+ +--- httpd-2.4.2/modules/arch/unix/mod_unixd.c +++ httpd-2.4.2/modules/arch/unix/mod_unixd.c -@@ -284,6 +284,13 @@ unixd_set_suexec(cmd_parms *cmd, void *d +@@ -284,6 +284,13 @@ return NULL; } @@ -156,7 +328,7 @@ http://svn.apache.org/viewvc?view=revision&revision=1341930 static int unixd_pre_config(apr_pool_t *pconf, apr_pool_t *plog, apr_pool_t *ptemp) -@@ -300,7 +307,7 @@ unixd_pre_config(apr_pool_t *pconf, apr_ +@@ -300,7 +307,7 @@ ap_unixd_config.suexec_enabled = 0; if ((apr_stat(&wrapper, SUEXEC_BIN, APR_FINFO_NORM, ptemp)) == APR_SUCCESS) { @@ -165,148 +337,3 @@ http://svn.apache.org/viewvc?view=revision&revision=1341930 && (access(SUEXEC_BIN, R_OK|X_OK) == 0)) { ap_unixd_config.suexec_enabled = 1; ap_unixd_config.suexec_disabled_reason = ""; ---- httpd-2.4.2/support/suexec.c.r1337344+ -+++ httpd-2.4.2/support/suexec.c -@@ -58,6 +58,10 @@ - #include - #endif - -+#ifdef AP_LOG_SYSLOG -+#include -+#endif -+ - #if defined(PATH_MAX) - #define AP_MAXPATH PATH_MAX - #elif defined(MAXPATHLEN) -@@ -69,7 +73,12 @@ - #define AP_ENVBUF 256 - - extern char **environ; -+ -+#ifdef AP_LOG_SYSLOG -+static int log_open; -+#else - static FILE *log = NULL; -+#endif - - static const char *const safe_env_lst[] = - { -@@ -128,10 +137,23 @@ static const char *const safe_env_lst[] - NULL - }; - -+static void log_err(const char *fmt,...) -+ __attribute__((format(printf,1,2))); -+static void log_no_err(const char *fmt,...) -+ __attribute__((format(printf,1,2))); -+static void err_output(int is_error, const char *fmt, va_list ap) -+ __attribute__((format(printf,2,0))); - - static void err_output(int is_error, const char *fmt, va_list ap) - { --#ifdef AP_LOG_EXEC -+#if defined(AP_LOG_SYSLOG) -+ if (!log_open) { -+ openlog("suexec", LOG_PID, LOG_DAEMON); -+ log_open = 1; -+ } -+ -+ vsyslog(is_error ? LOG_ERR : LOG_INFO, fmt, ap); -+#elif defined(AP_LOG_EXEC) - time_t timevar; - struct tm *lt; - -@@ -263,7 +285,7 @@ int main(int argc, char *argv[]) - */ - uid = getuid(); - if ((pw = getpwuid(uid)) == NULL) { -- log_err("crit: invalid uid: (%ld)\n", uid); -+ log_err("crit: invalid uid: (%lu)\n", (unsigned long)uid); - exit(102); - } - /* -@@ -289,7 +311,9 @@ int main(int argc, char *argv[]) - #ifdef AP_HTTPD_USER - fprintf(stderr, " -D AP_HTTPD_USER=\"%s\"\n", AP_HTTPD_USER); - #endif --#ifdef AP_LOG_EXEC -+#if defined(AP_LOG_SYSLOG) -+ fprintf(stderr, " -D AP_LOG_SYSLOG\n"); -+#elif defined(AP_LOG_EXEC) - fprintf(stderr, " -D AP_LOG_EXEC=\"%s\"\n", AP_LOG_EXEC); - #endif - #ifdef AP_SAFE_PATH -@@ -440,7 +464,7 @@ int main(int argc, char *argv[]) - * a UID less than AP_UID_MIN. Tsk tsk. - */ - if ((uid == 0) || (uid < AP_UID_MIN)) { -- log_err("cannot run as forbidden uid (%d/%s)\n", uid, cmd); -+ log_err("cannot run as forbidden uid (%lu/%s)\n", (unsigned long)uid, cmd); - exit(107); - } - -@@ -449,7 +473,7 @@ int main(int argc, char *argv[]) - * or as a GID less than AP_GID_MIN. Tsk tsk. - */ - if ((gid == 0) || (gid < AP_GID_MIN)) { -- log_err("cannot run as forbidden gid (%d/%s)\n", gid, cmd); -+ log_err("cannot run as forbidden gid (%lu/%s)\n", (unsigned long)gid, cmd); - exit(108); - } - -@@ -460,7 +484,7 @@ int main(int argc, char *argv[]) - * and setgid() to the target group. If unsuccessful, error out. - */ - if (((setgid(gid)) != 0) || (initgroups(actual_uname, gid) != 0)) { -- log_err("failed to setgid (%ld: %s)\n", gid, cmd); -+ log_err("failed to setgid (%lu: %s)\n", (unsigned long)gid, cmd); - exit(109); - } - -@@ -468,7 +492,7 @@ int main(int argc, char *argv[]) - * setuid() to the target user. Error out on fail. - */ - if ((setuid(uid)) != 0) { -- log_err("failed to setuid (%ld: %s)\n", uid, cmd); -+ log_err("failed to setuid (%lu: %s)\n", (unsigned long)uid, cmd); - exit(110); - } - -@@ -556,11 +580,11 @@ int main(int argc, char *argv[]) - (gid != dir_info.st_gid) || - (uid != prg_info.st_uid) || - (gid != prg_info.st_gid)) { -- log_err("target uid/gid (%ld/%ld) mismatch " -- "with directory (%ld/%ld) or program (%ld/%ld)\n", -- uid, gid, -- dir_info.st_uid, dir_info.st_gid, -- prg_info.st_uid, prg_info.st_gid); -+ log_err("target uid/gid (%lu/%lu) mismatch " -+ "with directory (%lu/%lu) or program (%lu/%lu)\n", -+ (unsigned long)uid, (unsigned long)gid, -+ (unsigned long)dir_info.st_uid, (unsigned long)dir_info.st_gid, -+ (unsigned long)prg_info.st_uid, (unsigned long)prg_info.st_gid); - exit(120); - } - /* -@@ -585,6 +609,12 @@ int main(int argc, char *argv[]) - #endif /* AP_SUEXEC_UMASK */ - - /* Be sure to close the log file so the CGI can't mess with it. */ -+#ifdef AP_LOG_SYSLOG -+ if (log_open) { -+ closelog(); -+ log_open = 0; -+ } -+#else - if (log != NULL) { - #if APR_HAVE_FCNTL_H - /* -@@ -606,6 +636,7 @@ int main(int argc, char *argv[]) - log = NULL; - #endif - } -+#endif - - /* - * Execute the command, replacing our image with its own. diff --git a/httpd.spec b/httpd.spec index 6125e63..6710fa8 100644 --- a/httpd.spec +++ b/httpd.spec @@ -8,7 +8,7 @@ Summary: Apache HTTP Server Name: httpd Version: 2.4.2 -Release: 11%{?dist} +Release: 12%{?dist} URL: http://httpd.apache.org/ Source0: http://www.apache.org/dist/httpd/httpd-%{version}.tar.bz2 Source1: index.html @@ -565,6 +565,9 @@ rm -rf $RPM_BUILD_ROOT %{_sysconfdir}/rpm/macros.httpd %changelog +* Thu May 31 2012 Joe Orton - 2.4.2-12 +- update suexec patch to use LOG_AUTHPRIV facility + * Thu May 24 2012 Joe Orton - 2.4.2-11 - really fix autoindex.conf (thanks to remi@)