rpms/httpd
7
0
Fork 0
Code Issues Pull Requests Releases Activity

update suexec patch to use LOG_AUTHPRIV facility

Browse Source
This commit is contained in:
Joe Orton 2012-05-31 14:30:39 +01:00
parent ddd6f9f031
commit 969baf89f0
2 changed files with 218 additions and 188 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

401
httpd-2.4.2-r1337344+.patch
View File

@ -1,3 +1,4 @@
# ./pullrev.sh 1337344 1341905 1342065 1341930 1344712
suexec enhancements: suexec enhancements:
@ -9,9 +10,181 @@ http://svn.apache.org/viewvc?view=revision&revision=1341905
http://svn.apache.org/viewvc?view=revision&revision=1342065 http://svn.apache.org/viewvc?view=revision&revision=1342065
http://svn.apache.org/viewvc?view=revision&revision=1341930 http://svn.apache.org/viewvc?view=revision&revision=1341930
--- httpd-2.4.2/configure.in.r1337344+ http://svn.apache.org/viewvc?view=revision&revision=1344712
--- httpd-2.4.2/support/suexec.c
+++ httpd-2.4.2/support/suexec.c
@@ -58,6 +58,10 @@
#include <grp.h>
#endif
+#ifdef AP_LOG_SYSLOG
+#include <syslog.h>
+#endif
+
#if defined(PATH_MAX)
#define AP_MAXPATH PATH_MAX
#elif defined(MAXPATHLEN)
@@ -69,7 +73,20 @@
#define AP_ENVBUF 256
extern char **environ;
+
+#ifdef AP_LOG_SYSLOG
+/* Syslog support. */
+#if !defined(AP_LOG_FACILITY) && defined(LOG_AUTHPRIV)
+#define AP_LOG_FACILITY LOG_AUTHPRIV
+#elif !defined(AP_LOG_FACILITY)
+#define AP_LOG_FACILITY LOG_AUTH
+#endif
+
+static int log_open;
+#else
+/* Non-syslog support. */
static FILE *log = NULL;
+#endif
static const char *const safe_env_lst[] =
{
@@ -128,10 +145,23 @@
NULL
};
+static void log_err(const char *fmt,...)
+ __attribute__((format(printf,1,2)));
+static void log_no_err(const char *fmt,...)
+ __attribute__((format(printf,1,2)));
+static void err_output(int is_error, const char *fmt, va_list ap)
+ __attribute__((format(printf,2,0)));
static void err_output(int is_error, const char *fmt, va_list ap)
{
-#ifdef AP_LOG_EXEC
+#if defined(AP_LOG_SYSLOG)
+ if (!log_open) {
+ openlog("suexec", LOG_PID, AP_LOG_FACILITY);
+ log_open = 1;
+ }
+
+ vsyslog(is_error ? LOG_ERR : LOG_INFO, fmt, ap);
+#elif defined(AP_LOG_EXEC)
time_t timevar;
struct tm *lt;
@@ -263,7 +293,7 @@
*/
uid = getuid();
if ((pw = getpwuid(uid)) == NULL) {
- log_err("crit: invalid uid: (%ld)\n", uid);
+ log_err("crit: invalid uid: (%lu)\n", (unsigned long)uid);
exit(102);
}
/*
@@ -289,7 +319,9 @@
#ifdef AP_HTTPD_USER
fprintf(stderr, " -D AP_HTTPD_USER=\"%s\"\n", AP_HTTPD_USER);
#endif
-#ifdef AP_LOG_EXEC
+#if defined(AP_LOG_SYSLOG)
+ fprintf(stderr, " -D AP_LOG_SYSLOG\n");
+#elif defined(AP_LOG_EXEC)
fprintf(stderr, " -D AP_LOG_EXEC=\"%s\"\n", AP_LOG_EXEC);
#endif
#ifdef AP_SAFE_PATH
@@ -440,7 +472,7 @@
* a UID less than AP_UID_MIN. Tsk tsk.
*/
if ((uid == 0) || (uid < AP_UID_MIN)) {
- log_err("cannot run as forbidden uid (%d/%s)\n", uid, cmd);
+ log_err("cannot run as forbidden uid (%lu/%s)\n", (unsigned long)uid, cmd);
exit(107);
}
@@ -449,7 +481,7 @@
* or as a GID less than AP_GID_MIN. Tsk tsk.
*/
if ((gid == 0) || (gid < AP_GID_MIN)) {
- log_err("cannot run as forbidden gid (%d/%s)\n", gid, cmd);
+ log_err("cannot run as forbidden gid (%lu/%s)\n", (unsigned long)gid, cmd);
exit(108);
}
@@ -460,7 +492,7 @@
* and setgid() to the target group. If unsuccessful, error out.
*/
if (((setgid(gid)) != 0) || (initgroups(actual_uname, gid) != 0)) {
- log_err("failed to setgid (%ld: %s)\n", gid, cmd);
+ log_err("failed to setgid (%lu: %s)\n", (unsigned long)gid, cmd);
exit(109);
}
@@ -468,7 +500,7 @@
* setuid() to the target user. Error out on fail.
*/
if ((setuid(uid)) != 0) {
- log_err("failed to setuid (%ld: %s)\n", uid, cmd);
+ log_err("failed to setuid (%lu: %s)\n", (unsigned long)uid, cmd);
exit(110);
}
@@ -556,11 +588,11 @@
(gid != dir_info.st_gid) ||
(uid != prg_info.st_uid) ||
(gid != prg_info.st_gid)) {
- log_err("target uid/gid (%ld/%ld) mismatch "
- "with directory (%ld/%ld) or program (%ld/%ld)\n",
- uid, gid,
- dir_info.st_uid, dir_info.st_gid,
- prg_info.st_uid, prg_info.st_gid);
+ log_err("target uid/gid (%lu/%lu) mismatch "
+ "with directory (%lu/%lu) or program (%lu/%lu)\n",
+ (unsigned long)uid, (unsigned long)gid,
+ (unsigned long)dir_info.st_uid, (unsigned long)dir_info.st_gid,
+ (unsigned long)prg_info.st_uid, (unsigned long)prg_info.st_gid);
exit(120);
}
/*
@@ -585,6 +617,12 @@
#endif /* AP_SUEXEC_UMASK */
/* Be sure to close the log file so the CGI can't mess with it. */
+#ifdef AP_LOG_SYSLOG
+ if (log_open) {
+ closelog();
+ log_open = 0;
+ }
+#else
if (log != NULL) {
#if APR_HAVE_FCNTL_H
/*
@@ -606,6 +644,7 @@
log = NULL;
#endif
}
+#endif
/*
* Execute the command, replacing our image with its own.
--- httpd-2.4.2/CHANGES
+++ httpd-2.4.2/CHANGES
@@ -1,6 +1,14 @@
-*- coding: utf-8 -*-
Changes with Apache 2.5.0
+ *) suexec: Add --enable-suexec-capabilites support on Linux, to use
+ setuid/setgid capability bits rather than a setuid root binary.
+ [Joe Orton]
+
+ *) suexec: Add support for logging to syslog as an alternative to
+ logging to a file; use --without-suexec-logfile --with-suexec-syslog.
+ [Joe Orton]
+
*) mod_proxy_ajp: Reduce memory usage in case of many keep-alive requests on
one connection. PR 52275. [Naohiro Ooiwa <naohiro ooiwa miraclelinux com>]
--- httpd-2.4.2/configure.in
+++ httpd-2.4.2/configure.in +++ httpd-2.4.2/configure.in
@@ -700,7 +700,24 @@ APACHE_HELP_STRING(--with-suexec-gidmin, @@ -703,7 +703,24 @@
AC_ARG_WITH(suexec-logfile, AC_ARG_WITH(suexec-logfile,
APACHE_HELP_STRING(--with-suexec-logfile,Set the logfile),[ APACHE_HELP_STRING(--with-suexec-logfile,Set the logfile),[
@ -37,7 +210,7 @@ http://svn.apache.org/viewvc?view=revision&revision=1341930
AC_ARG_WITH(suexec-safepath, AC_ARG_WITH(suexec-safepath,
APACHE_HELP_STRING(--with-suexec-safepath,Set the safepath),[ APACHE_HELP_STRING(--with-suexec-safepath,Set the safepath),[
@@ -710,6 +727,15 @@ AC_ARG_WITH(suexec-umask, @@ -721,6 +738,15 @@
APACHE_HELP_STRING(--with-suexec-umask,umask for suexec'd process),[ APACHE_HELP_STRING(--with-suexec-umask,umask for suexec'd process),[
AC_DEFINE_UNQUOTED(AP_SUEXEC_UMASK, 0$withval, [umask for suexec'd process] ) ] ) AC_DEFINE_UNQUOTED(AP_SUEXEC_UMASK, 0$withval, [umask for suexec'd process] ) ] )
@ -52,10 +225,39 @@ http://svn.apache.org/viewvc?view=revision&revision=1341930
+ +
dnl APR should go after the other libs, so the right symbols can be picked up dnl APR should go after the other libs, so the right symbols can be picked up
if test x${apu_found} != xobsolete; then if test x${apu_found} != xobsolete; then
AP_LIBS="$AP_LIBS `$apu_config --avoid-ldap --link-libtool`" AP_LIBS="$AP_LIBS `$apu_config --avoid-ldap --link-libtool --libs`"
--- httpd-2.4.2/docs/manual/suexec.html.en.r1337344+ --- httpd-2.4.2/Makefile.in
+++ httpd-2.4.2/Makefile.in
@@ -233,13 +233,24 @@
cd $(DESTDIR)$(manualdir) && find . -name ".svn" -type d -print | xargs rm -rf 2>/dev/null || true; \
fi
-install-suexec:
+install-suexec: install-suexec-binary install-suexec-$(INSTALL_SUEXEC)
+
+install-suexec-binary:
@if test -f $(builddir)/support/suexec; then \
test -d $(DESTDIR)$(sbindir) || $(MKINSTALLDIRS) $(DESTDIR)$(sbindir); \
$(INSTALL_PROGRAM) $(top_builddir)/support/suexec $(DESTDIR)$(sbindir); \
- chmod 4755 $(DESTDIR)$(sbindir)/suexec; \
fi
+install-suexec-setuid:
+ @if test -f $(builddir)/support/suexec; then \
+ chmod 4755 $(DESTDIR)$(sbindir)/suexec; \
+ fi
+
+install-suexec-caps:
+ @if test -f $(builddir)/support/suexec; then \
+ setcap 'cap_setuid,cap_setgid+pe' $(DESTDIR)$(sbindir)/suexec; \
+ fi
+
suexec:
cd support && $(MAKE) suexec
--- httpd-2.4.2/docs/manual/suexec.html.en
+++ httpd-2.4.2/docs/manual/suexec.html.en +++ httpd-2.4.2/docs/manual/suexec.html.en
@@ -369,6 +369,21 @@ @@ -372,6 +372,21 @@
together with the <code>--enable-suexec</code> option to let together with the <code>--enable-suexec</code> option to let
APACI accept your request for using the suEXEC feature.</dd> APACI accept your request for using the suEXEC feature.</dd>
@ -77,7 +279,7 @@ http://svn.apache.org/viewvc?view=revision&revision=1341930
<dt><code>--with-suexec-bin=<em>PATH</em></code></dt> <dt><code>--with-suexec-bin=<em>PATH</em></code></dt>
<dd>The path to the <code>suexec</code> binary must be hard-coded <dd>The path to the <code>suexec</code> binary must be hard-coded
@@ -430,6 +445,12 @@ @@ -418,6 +433,12 @@
"<code>suexec_log</code>" and located in your standard logfile "<code>suexec_log</code>" and located in your standard logfile
directory (<code>--logfiledir</code>).</dd> directory (<code>--logfiledir</code>).</dd>
@ -90,7 +292,7 @@ http://svn.apache.org/viewvc?view=revision&revision=1341930
<dt><code>--with-suexec-safepath=<em>PATH</em></code></dt> <dt><code>--with-suexec-safepath=<em>PATH</em></code></dt>
<dd>Define a safe PATH environment to pass to CGI <dd>Define a safe PATH environment to pass to CGI
@@ -546,9 +567,12 @@ @@ -535,9 +556,12 @@
<p>The suEXEC wrapper will write log information <p>The suEXEC wrapper will write log information
to the file defined with the <code>--with-suexec-logfile</code> to the file defined with the <code>--with-suexec-logfile</code>
@ -106,43 +308,13 @@ http://svn.apache.org/viewvc?view=revision&revision=1341930
</div><div class="top"><a href="#page-header"><img alt="top" src="./images/up.gif" /></a></div> </div><div class="top"><a href="#page-header"><img alt="top" src="./images/up.gif" /></a></div>
<div class="section"> <div class="section">
@@ -615,4 +639,4 @@ @@ -629 +653 @@
</div><div id="footer">
<p class="apache">Copyright 2012 The Apache Software Foundation.<br />Licensed under the <a href="http://www.apache.org/licenses/LICENSE-2.0">Apache License, Version 2.0</a>.</p>
<p class="menu"><a href="./mod/">Modules</a> | <a href="./mod/directives.html">Directives</a> | <a href="./faq/">FAQ</a> | <a href="./glossary.html">Glossary</a> | <a href="./sitemap.html">Sitemap</a></p></div>
-</body></html> -</body></html>
\ No newline at end of file \ No newline at end of file
+</body></html> +</body></html>
--- httpd-2.4.2/Makefile.in.r1337344+ --- httpd-2.4.2/modules/arch/unix/mod_unixd.c
+++ httpd-2.4.2/Makefile.in
@@ -236,11 +236,22 @@ install-man:
cd $(DESTDIR)$(manualdir) && find . -name ".svn" -type d -print | xargs rm -rf 2>/dev/null || true; \
fi
-install-suexec:
+install-suexec: install-suexec-binary install-suexec-$(INSTALL_SUEXEC)
+
+install-suexec-binary:
@if test -f $(builddir)/support/suexec; then \
test -d $(DESTDIR)$(sbindir) || $(MKINSTALLDIRS) $(DESTDIR)$(sbindir); \
$(INSTALL_PROGRAM) $(top_builddir)/support/suexec $(DESTDIR)$(sbindir); \
- chmod 4755 $(DESTDIR)$(sbindir)/suexec; \
+ fi
+
+install-suexec-setuid:
+ @if test -f $(builddir)/support/suexec; then \
+ chmod 4755 $(DESTDIR)$(sbindir)/suexec; \
+ fi
+
+install-suexec-caps:
+ @if test -f $(builddir)/support/suexec; then \
+ setcap 'cap_setuid,cap_setgid+pe' $(DESTDIR)$(sbindir)/suexec; \
fi
suexec:
--- httpd-2.4.2/modules/arch/unix/mod_unixd.c.r1337344+
+++ httpd-2.4.2/modules/arch/unix/mod_unixd.c +++ httpd-2.4.2/modules/arch/unix/mod_unixd.c
@@ -284,6 +284,13 @@ unixd_set_suexec(cmd_parms *cmd, void *d @@ -284,6 +284,13 @@
return NULL; return NULL;
} }
@ -156,7 +328,7 @@ http://svn.apache.org/viewvc?view=revision&revision=1341930
static int static int
unixd_pre_config(apr_pool_t *pconf, apr_pool_t *plog, unixd_pre_config(apr_pool_t *pconf, apr_pool_t *plog,
apr_pool_t *ptemp) apr_pool_t *ptemp)
@@ -300,7 +307,7 @@ unixd_pre_config(apr_pool_t *pconf, apr_ @@ -300,7 +307,7 @@
ap_unixd_config.suexec_enabled = 0; ap_unixd_config.suexec_enabled = 0;
if ((apr_stat(&wrapper, SUEXEC_BIN, APR_FINFO_NORM, ptemp)) if ((apr_stat(&wrapper, SUEXEC_BIN, APR_FINFO_NORM, ptemp))
== APR_SUCCESS) { == APR_SUCCESS) {
@ -165,148 +337,3 @@ http://svn.apache.org/viewvc?view=revision&revision=1341930
&& (access(SUEXEC_BIN, R_OK|X_OK) == 0)) { && (access(SUEXEC_BIN, R_OK|X_OK) == 0)) {
ap_unixd_config.suexec_enabled = 1; ap_unixd_config.suexec_enabled = 1;
ap_unixd_config.suexec_disabled_reason = ""; ap_unixd_config.suexec_disabled_reason = "";
--- httpd-2.4.2/support/suexec.c.r1337344+
+++ httpd-2.4.2/support/suexec.c
@@ -58,6 +58,10 @@
#include <grp.h>
#endif
+#ifdef AP_LOG_SYSLOG
+#include <syslog.h>
+#endif
+
#if defined(PATH_MAX)
#define AP_MAXPATH PATH_MAX
#elif defined(MAXPATHLEN)
@@ -69,7 +73,12 @@
#define AP_ENVBUF 256
extern char **environ;
+
+#ifdef AP_LOG_SYSLOG
+static int log_open;
+#else
static FILE *log = NULL;
+#endif
static const char *const safe_env_lst[] =
{
@@ -128,10 +137,23 @@ static const char *const safe_env_lst[]
NULL
};
+static void log_err(const char *fmt,...)
+ __attribute__((format(printf,1,2)));
+static void log_no_err(const char *fmt,...)
+ __attribute__((format(printf,1,2)));
+static void err_output(int is_error, const char *fmt, va_list ap)
+ __attribute__((format(printf,2,0)));
static void err_output(int is_error, const char *fmt, va_list ap)
{
-#ifdef AP_LOG_EXEC
+#if defined(AP_LOG_SYSLOG)
+ if (!log_open) {
+ openlog("suexec", LOG_PID, LOG_DAEMON);
+ log_open = 1;
+ }
+
+ vsyslog(is_error ? LOG_ERR : LOG_INFO, fmt, ap);
+#elif defined(AP_LOG_EXEC)
time_t timevar;
struct tm *lt;
@@ -263,7 +285,7 @@ int main(int argc, char *argv[])
*/
uid = getuid();
if ((pw = getpwuid(uid)) == NULL) {
- log_err("crit: invalid uid: (%ld)\n", uid);
+ log_err("crit: invalid uid: (%lu)\n", (unsigned long)uid);
exit(102);
}
/*
@@ -289,7 +311,9 @@ int main(int argc, char *argv[])
#ifdef AP_HTTPD_USER
fprintf(stderr, " -D AP_HTTPD_USER=\"%s\"\n", AP_HTTPD_USER);
#endif
-#ifdef AP_LOG_EXEC
+#if defined(AP_LOG_SYSLOG)
+ fprintf(stderr, " -D AP_LOG_SYSLOG\n");
+#elif defined(AP_LOG_EXEC)
fprintf(stderr, " -D AP_LOG_EXEC=\"%s\"\n", AP_LOG_EXEC);
#endif
#ifdef AP_SAFE_PATH
@@ -440,7 +464,7 @@ int main(int argc, char *argv[])
* a UID less than AP_UID_MIN. Tsk tsk.
*/
if ((uid == 0) || (uid < AP_UID_MIN)) {
- log_err("cannot run as forbidden uid (%d/%s)\n", uid, cmd);
+ log_err("cannot run as forbidden uid (%lu/%s)\n", (unsigned long)uid, cmd);
exit(107);
}
@@ -449,7 +473,7 @@ int main(int argc, char *argv[])
* or as a GID less than AP_GID_MIN. Tsk tsk.
*/
if ((gid == 0) || (gid < AP_GID_MIN)) {
- log_err("cannot run as forbidden gid (%d/%s)\n", gid, cmd);
+ log_err("cannot run as forbidden gid (%lu/%s)\n", (unsigned long)gid, cmd);
exit(108);
}
@@ -460,7 +484,7 @@ int main(int argc, char *argv[])
* and setgid() to the target group. If unsuccessful, error out.
*/
if (((setgid(gid)) != 0) || (initgroups(actual_uname, gid) != 0)) {
- log_err("failed to setgid (%ld: %s)\n", gid, cmd);
+ log_err("failed to setgid (%lu: %s)\n", (unsigned long)gid, cmd);
exit(109);
}
@@ -468,7 +492,7 @@ int main(int argc, char *argv[])
* setuid() to the target user. Error out on fail.
*/
if ((setuid(uid)) != 0) {
- log_err("failed to setuid (%ld: %s)\n", uid, cmd);
+ log_err("failed to setuid (%lu: %s)\n", (unsigned long)uid, cmd);
exit(110);
}
@@ -556,11 +580,11 @@ int main(int argc, char *argv[])
(gid != dir_info.st_gid) ||
(uid != prg_info.st_uid) ||
(gid != prg_info.st_gid)) {
- log_err("target uid/gid (%ld/%ld) mismatch "
- "with directory (%ld/%ld) or program (%ld/%ld)\n",
- uid, gid,
- dir_info.st_uid, dir_info.st_gid,
- prg_info.st_uid, prg_info.st_gid);
+ log_err("target uid/gid (%lu/%lu) mismatch "
+ "with directory (%lu/%lu) or program (%lu/%lu)\n",
+ (unsigned long)uid, (unsigned long)gid,
+ (unsigned long)dir_info.st_uid, (unsigned long)dir_info.st_gid,
+ (unsigned long)prg_info.st_uid, (unsigned long)prg_info.st_gid);
exit(120);
}
/*
@@ -585,6 +609,12 @@ int main(int argc, char *argv[])
#endif /* AP_SUEXEC_UMASK */
/* Be sure to close the log file so the CGI can't mess with it. */
+#ifdef AP_LOG_SYSLOG
+ if (log_open) {
+ closelog();
+ log_open = 0;
+ }
+#else
if (log != NULL) {
#if APR_HAVE_FCNTL_H
/*
@@ -606,6 +636,7 @@ int main(int argc, char *argv[])
log = NULL;
#endif
}
+#endif
/*
* Execute the command, replacing our image with its own.

5
httpd.spec
View File

@ -8,7 +8,7 @@
Summary: Apache HTTP Server Summary: Apache HTTP Server
Name: httpd Name: httpd
Version: 2.4.2 Version: 2.4.2
Release: 11%{?dist} Release: 12%{?dist}
URL: http://httpd.apache.org/ URL: http://httpd.apache.org/
Source0: http://www.apache.org/dist/httpd/httpd-%{version}.tar.bz2 Source0: http://www.apache.org/dist/httpd/httpd-%{version}.tar.bz2
Source1: index.html Source1: index.html
@ -565,6 +565,9 @@ rm -rf $RPM_BUILD_ROOT
%{_sysconfdir}/rpm/macros.httpd %{_sysconfdir}/rpm/macros.httpd
%changelog %changelog
* Thu May 31 2012 Joe Orton <jorton@redhat.com> - 2.4.2-12
- update suexec patch to use LOG_AUTHPRIV facility
* Thu May 24 2012 Joe Orton <jorton@redhat.com> - 2.4.2-11 * Thu May 24 2012 Joe Orton <jorton@redhat.com> - 2.4.2-11
- really fix autoindex.conf (thanks to remi@) - really fix autoindex.conf (thanks to remi@)