From d3d3699597e6cd3f95fe80e7bbcd7297af2df8ac Mon Sep 17 00:00:00 2001
From: Joe Orton
Date: Wed, 23 May 2012 22:48:18 +0100
Subject: [PATCH] suexec: use upstream version of patch for capability bit
support
---
httpd-2.4.1-suenable.patch | 18 ----
httpd-2.4.2-r1337344+.patch | 209 +++++++++++++++++++++++++++++-------
httpd.spec | 18 ++--
3 files changed, 179 insertions(+), 66 deletions(-)
delete mode 100644 httpd-2.4.1-suenable.patch
diff --git a/httpd-2.4.1-suenable.patch b/httpd-2.4.1-suenable.patch
deleted file mode 100644
index f2287fd..0000000
--- a/httpd-2.4.1-suenable.patch
+++ /dev/null
@@ -1,18 +0,0 @@
-Removes setuid check because we are now using capabilities to ensure proper
-suexec rights.
-
-Upstream-status: vendor specific.
-
-diff --git a/os/unix/unixd.c b/os/unix/unixd.c
-index 85d5a98..1ee1dfe 100644
---- httpd-2.4.1/modules/arch/unix/mod_unixd.c.suenable
-+++ httpd-2.4.1/modules/arch/unix/mod_unixd.c
-@@ -300,7 +300,7 @@ unixd_pre_config(apr_pool_t *pconf, apr_
- ap_unixd_config.suexec_enabled = 0;
- if ((apr_stat(&wrapper, SUEXEC_BIN, APR_FINFO_NORM, ptemp))
- == APR_SUCCESS) {
-- if ((wrapper.protection & APR_USETID) && wrapper.user == 0
-+ if (wrapper.user == 0
- && (access(SUEXEC_BIN, R_OK|X_OK) == 0)) {
- ap_unixd_config.suexec_enabled = 1;
- ap_unixd_config.suexec_disabled_reason = "";
diff --git a/httpd-2.4.2-r1337344+.patch b/httpd-2.4.2-r1337344+.patch
index bac05d9..69eb5d9 100644
--- a/httpd-2.4.2-r1337344+.patch
+++ b/httpd-2.4.2-r1337344+.patch
@@ -1,8 +1,166 @@
http://svn.apache.org/viewvc?view=revision&revision=1337344
http://svn.apache.org/viewvc?view=revision&revision=1341905
+http://svn.apache.org/viewvc?view=revision&revision=1342065
+http://svn.apache.org/viewvc?view=revision&revision=1341930
---- httpd-2.4.2/support/suexec.c
+--- httpd-2.4.2/configure.in.r1337344+
++++ httpd-2.4.2/configure.in
+@@ -700,7 +700,24 @@ APACHE_HELP_STRING(--with-suexec-gidmin,
+
+ AC_ARG_WITH(suexec-logfile,
+ APACHE_HELP_STRING(--with-suexec-logfile,Set the logfile),[
+- AC_DEFINE_UNQUOTED(AP_LOG_EXEC, "$withval", [SuExec log file] ) ] )
++ if test "x$withval" = "xyes"; then
++ AC_DEFINE_UNQUOTED(AP_LOG_EXEC, "$withval", [SuExec log file])
++ fi
++])
++
++AC_ARG_WITH(suexec-syslog,
++APACHE_HELP_STRING(--with-suexec-syslog,Set the logfile),[
++ if test $withval = "yes"; then
++ if test "x${with_suexec_logfile}" != "xno"; then
++ AC_MSG_NOTICE([hint: use "--without-suexec-logfile --with-suexec-syslog"])
++ AC_MSG_ERROR([suexec does not support both logging to file and syslog])
++ fi
++ AC_CHECK_FUNCS([vsyslog], [], [
++ AC_MSG_ERROR([cannot support syslog from suexec without vsyslog()])])
++ AC_DEFINE(AP_LOG_SYSLOG, 1, [SuExec log to syslog])
++ fi
++])
++
+
+ AC_ARG_WITH(suexec-safepath,
+ APACHE_HELP_STRING(--with-suexec-safepath,Set the safepath),[
+@@ -710,6 +727,15 @@ AC_ARG_WITH(suexec-umask,
+ APACHE_HELP_STRING(--with-suexec-umask,umask for suexec'd process),[
+ AC_DEFINE_UNQUOTED(AP_SUEXEC_UMASK, 0$withval, [umask for suexec'd process] ) ] )
+
++INSTALL_SUEXEC=setuid
++AC_ARG_ENABLE([suexec-capabilities],
++APACHE_HELP_STRING(--enable-suexec-capabilities,Use Linux capability bits not setuid root suexec), [
++INSTALL_SUEXEC=caps
++AC_DEFINE(AP_SUEXEC_CAPABILITIES, 1,
++ [Enable if suexec is installed with Linux capabilities, not setuid])
++])
++APACHE_SUBST(INSTALL_SUEXEC)
++
+ dnl APR should go after the other libs, so the right symbols can be picked up
+ if test x${apu_found} != xobsolete; then
+ AP_LIBS="$AP_LIBS `$apu_config --avoid-ldap --link-libtool`"
+--- httpd-2.4.2/docs/manual/suexec.html.en.r1337344+
++++ httpd-2.4.2/docs/manual/suexec.html.en
+@@ -369,6 +369,21 @@
+ together with the --enable-suexec
option to let
+ APACI accept your request for using the suEXEC feature.
+
++ --enable-suexec-capabilities
++
++ Linux specific: Normally,
++ the suexec
binary is installed "setuid/setgid
++ root", which allows it to run with the full privileges of the
++ root user. If this option is used, the suexec
++ binary will instead be installed with only the setuid/setgid
++ "capability" bits set, which is the subset of full root
++ priviliges required for suexec operation. Note that
++ the suexec
binary may not be able to write to a log
++ file in this mode; it is recommended that the
++ --with-suexec-syslog --without-suexec-logfile
++ options are used in conjunction with this mode, so that syslog
++ logging is used instead.
++
+ --with-suexec-bin=PATH
+
+ The path to the suexec
binary must be hard-coded
+@@ -430,6 +445,12 @@
+ "suexec_log
" and located in your standard logfile
+ directory (--logfiledir
).
+
++ --with-suexec-syslog
++
++ If defined, suexec will log notices and errors to syslog
++ instead of a logfile. This option must be combined
++ with --without-suexec-logfile
.
++
+ --with-suexec-safepath=PATH
+
+ Define a safe PATH environment to pass to CGI
+@@ -546,9 +567,12 @@
+
+ The suEXEC wrapper will write log information
+ to the file defined with the --with-suexec-logfile
+- option as indicated above. If you feel you have configured and
+- installed the wrapper properly, have a look at this log and the
+- error_log for the server to see where you may have gone astray.
++ option as indicated above, or to syslog if --with-suexec-syslog
++ is used. If you feel you have configured and
++ installed the wrapper properly, have a look at the log and the
++ error_log for the server to see where you may have gone astray.
++ The output of "suexec -V"
will show the options
++ used to compile suexec, if using a binary distribution.
+
+
+
+@@ -615,4 +639,4 @@
+
+-