suexec: use upstream version of patch for capability bit support

This commit is contained in:
Joe Orton 2012-05-23 22:48:18 +01:00
parent 22bfb45d02
commit d3d3699597
3 changed files with 179 additions and 66 deletions

View File

@ -1,18 +0,0 @@
Removes setuid check because we are now using capabilities to ensure proper
suexec rights.
Upstream-status: vendor specific.
diff --git a/os/unix/unixd.c b/os/unix/unixd.c
index 85d5a98..1ee1dfe 100644
--- httpd-2.4.1/modules/arch/unix/mod_unixd.c.suenable
+++ httpd-2.4.1/modules/arch/unix/mod_unixd.c
@@ -300,7 +300,7 @@ unixd_pre_config(apr_pool_t *pconf, apr_
ap_unixd_config.suexec_enabled = 0;
if ((apr_stat(&wrapper, SUEXEC_BIN, APR_FINFO_NORM, ptemp))
== APR_SUCCESS) {
- if ((wrapper.protection & APR_USETID) && wrapper.user == 0
+ if (wrapper.user == 0
&& (access(SUEXEC_BIN, R_OK|X_OK) == 0)) {
ap_unixd_config.suexec_enabled = 1;
ap_unixd_config.suexec_disabled_reason = "";

View File

@ -1,8 +1,166 @@
http://svn.apache.org/viewvc?view=revision&revision=1337344 http://svn.apache.org/viewvc?view=revision&revision=1337344
http://svn.apache.org/viewvc?view=revision&revision=1341905 http://svn.apache.org/viewvc?view=revision&revision=1341905
http://svn.apache.org/viewvc?view=revision&revision=1342065
http://svn.apache.org/viewvc?view=revision&revision=1341930
--- httpd-2.4.2/support/suexec.c --- httpd-2.4.2/configure.in.r1337344+
+++ httpd-2.4.2/configure.in
@@ -700,7 +700,24 @@ APACHE_HELP_STRING(--with-suexec-gidmin,
AC_ARG_WITH(suexec-logfile,
APACHE_HELP_STRING(--with-suexec-logfile,Set the logfile),[
- AC_DEFINE_UNQUOTED(AP_LOG_EXEC, "$withval", [SuExec log file] ) ] )
+ if test "x$withval" = "xyes"; then
+ AC_DEFINE_UNQUOTED(AP_LOG_EXEC, "$withval", [SuExec log file])
+ fi
+])
+
+AC_ARG_WITH(suexec-syslog,
+APACHE_HELP_STRING(--with-suexec-syslog,Set the logfile),[
+ if test $withval = "yes"; then
+ if test "x${with_suexec_logfile}" != "xno"; then
+ AC_MSG_NOTICE([hint: use "--without-suexec-logfile --with-suexec-syslog"])
+ AC_MSG_ERROR([suexec does not support both logging to file and syslog])
+ fi
+ AC_CHECK_FUNCS([vsyslog], [], [
+ AC_MSG_ERROR([cannot support syslog from suexec without vsyslog()])])
+ AC_DEFINE(AP_LOG_SYSLOG, 1, [SuExec log to syslog])
+ fi
+])
+
AC_ARG_WITH(suexec-safepath,
APACHE_HELP_STRING(--with-suexec-safepath,Set the safepath),[
@@ -710,6 +727,15 @@ AC_ARG_WITH(suexec-umask,
APACHE_HELP_STRING(--with-suexec-umask,umask for suexec'd process),[
AC_DEFINE_UNQUOTED(AP_SUEXEC_UMASK, 0$withval, [umask for suexec'd process] ) ] )
+INSTALL_SUEXEC=setuid
+AC_ARG_ENABLE([suexec-capabilities],
+APACHE_HELP_STRING(--enable-suexec-capabilities,Use Linux capability bits not setuid root suexec), [
+INSTALL_SUEXEC=caps
+AC_DEFINE(AP_SUEXEC_CAPABILITIES, 1,
+ [Enable if suexec is installed with Linux capabilities, not setuid])
+])
+APACHE_SUBST(INSTALL_SUEXEC)
+
dnl APR should go after the other libs, so the right symbols can be picked up
if test x${apu_found} != xobsolete; then
AP_LIBS="$AP_LIBS `$apu_config --avoid-ldap --link-libtool`"
--- httpd-2.4.2/docs/manual/suexec.html.en.r1337344+
+++ httpd-2.4.2/docs/manual/suexec.html.en
@@ -369,6 +369,21 @@
together with the <code>--enable-suexec</code> option to let
APACI accept your request for using the suEXEC feature.</dd>
+ <dt><code>--enable-suexec-capabilities</code></dt>
+
+ <dd><strong>Linux specific:</strong> Normally,
+ the <code>suexec</code> binary is installed "setuid/setgid
+ root", which allows it to run with the full privileges of the
+ root user. If this option is used, the <code>suexec</code>
+ binary will instead be installed with only the setuid/setgid
+ "capability" bits set, which is the subset of full root
+ priviliges required for suexec operation. Note that
+ the <code>suexec</code> binary may not be able to write to a log
+ file in this mode; it is recommended that the
+ <code>--with-suexec-syslog --without-suexec-logfile</code>
+ options are used in conjunction with this mode, so that syslog
+ logging is used instead.</dd>
+
<dt><code>--with-suexec-bin=<em>PATH</em></code></dt>
<dd>The path to the <code>suexec</code> binary must be hard-coded
@@ -430,6 +445,12 @@
"<code>suexec_log</code>" and located in your standard logfile
directory (<code>--logfiledir</code>).</dd>
+ <dt><code>--with-suexec-syslog</code></dt>
+
+ <dd>If defined, suexec will log notices and errors to syslog
+ instead of a logfile. This option must be combined
+ with <code>--without-suexec-logfile</code>.</dd>
+
<dt><code>--with-suexec-safepath=<em>PATH</em></code></dt>
<dd>Define a safe PATH environment to pass to CGI
@@ -546,9 +567,12 @@
<p>The suEXEC wrapper will write log information
to the file defined with the <code>--with-suexec-logfile</code>
- option as indicated above. If you feel you have configured and
- installed the wrapper properly, have a look at this log and the
- error_log for the server to see where you may have gone astray.</p>
+ option as indicated above, or to syslog if <code>--with-suexec-syslog</code>
+ is used. If you feel you have configured and
+ installed the wrapper properly, have a look at the log and the
+ error_log for the server to see where you may have gone astray.
+ The output of <code>"suexec -V"</code> will show the options
+ used to compile suexec, if using a binary distribution.</p>
</div><div class="top"><a href="#page-header"><img alt="top" src="./images/up.gif" /></a></div>
<div class="section">
@@ -615,4 +639,4 @@
</div><div id="footer">
<p class="apache">Copyright 2012 The Apache Software Foundation.<br />Licensed under the <a href="http://www.apache.org/licenses/LICENSE-2.0">Apache License, Version 2.0</a>.</p>
<p class="menu"><a href="./mod/">Modules</a> | <a href="./mod/directives.html">Directives</a> | <a href="./faq/">FAQ</a> | <a href="./glossary.html">Glossary</a> | <a href="./sitemap.html">Sitemap</a></p></div>
-</body></html>
\ No newline at end of file
+</body></html>
--- httpd-2.4.2/Makefile.in.r1337344+
+++ httpd-2.4.2/Makefile.in
@@ -236,11 +236,22 @@ install-man:
cd $(DESTDIR)$(manualdir) && find . -name ".svn" -type d -print | xargs rm -rf 2>/dev/null || true; \
fi
-install-suexec:
+install-suexec: install-suexec-binary install-suexec-$(INSTALL_SUEXEC)
+
+install-suexec-binary:
@if test -f $(builddir)/support/suexec; then \
test -d $(DESTDIR)$(sbindir) || $(MKINSTALLDIRS) $(DESTDIR)$(sbindir); \
$(INSTALL_PROGRAM) $(top_builddir)/support/suexec $(DESTDIR)$(sbindir); \
- chmod 4755 $(DESTDIR)$(sbindir)/suexec; \
+ fi
+
+install-suexec-setuid:
+ @if test -f $(builddir)/support/suexec; then \
+ chmod 4755 $(DESTDIR)$(sbindir)/suexec; \
+ fi
+
+install-suexec-caps:
+ @if test -f $(builddir)/support/suexec; then \
+ setcap 'cap_setuid,cap_setgid+pe' $(DESTDIR)$(sbindir)/suexec; \
fi
suexec:
--- httpd-2.4.2/modules/arch/unix/mod_unixd.c.r1337344+
+++ httpd-2.4.2/modules/arch/unix/mod_unixd.c
@@ -284,6 +284,13 @@ unixd_set_suexec(cmd_parms *cmd, void *d
return NULL;
}
+#ifdef AP_SUEXEC_CAPABILITIES
+/* If suexec is using capabilities, don't test for the setuid bit. */
+#define SETUID_TEST(finfo) (1)
+#else
+#define SETUID_TEST(finfo) (finfo.protection & APR_USETID)
+#endif
+
static int
unixd_pre_config(apr_pool_t *pconf, apr_pool_t *plog,
apr_pool_t *ptemp)
@@ -300,7 +307,7 @@ unixd_pre_config(apr_pool_t *pconf, apr_
ap_unixd_config.suexec_enabled = 0;
if ((apr_stat(&wrapper, SUEXEC_BIN, APR_FINFO_NORM, ptemp))
== APR_SUCCESS) {
- if ((wrapper.protection & APR_USETID) && wrapper.user == 0
+ if (SETUID_TEST(wrapper) && wrapper.user == 0
&& (access(SUEXEC_BIN, R_OK|X_OK) == 0)) {
ap_unixd_config.suexec_enabled = 1;
ap_unixd_config.suexec_disabled_reason = "";
--- httpd-2.4.2/support/suexec.c.r1337344+
+++ httpd-2.4.2/support/suexec.c +++ httpd-2.4.2/support/suexec.c
@@ -58,6 +58,10 @@ @@ -58,6 +58,10 @@
#include <grp.h> #include <grp.h>
@ -28,7 +186,7 @@ http://svn.apache.org/viewvc?view=revision&revision=1341905
static const char *const safe_env_lst[] = static const char *const safe_env_lst[] =
{ {
@@ -128,10 +137,23 @@ @@ -128,10 +137,23 @@ static const char *const safe_env_lst[]
NULL NULL
}; };
@ -53,7 +211,7 @@ http://svn.apache.org/viewvc?view=revision&revision=1341905
time_t timevar; time_t timevar;
struct tm *lt; struct tm *lt;
@@ -263,7 +285,7 @@ @@ -263,7 +285,7 @@ int main(int argc, char *argv[])
*/ */
uid = getuid(); uid = getuid();
if ((pw = getpwuid(uid)) == NULL) { if ((pw = getpwuid(uid)) == NULL) {
@ -62,7 +220,7 @@ http://svn.apache.org/viewvc?view=revision&revision=1341905
exit(102); exit(102);
} }
/* /*
@@ -289,7 +311,9 @@ @@ -289,7 +311,9 @@ int main(int argc, char *argv[])
#ifdef AP_HTTPD_USER #ifdef AP_HTTPD_USER
fprintf(stderr, " -D AP_HTTPD_USER=\"%s\"\n", AP_HTTPD_USER); fprintf(stderr, " -D AP_HTTPD_USER=\"%s\"\n", AP_HTTPD_USER);
#endif #endif
@ -73,7 +231,7 @@ http://svn.apache.org/viewvc?view=revision&revision=1341905
fprintf(stderr, " -D AP_LOG_EXEC=\"%s\"\n", AP_LOG_EXEC); fprintf(stderr, " -D AP_LOG_EXEC=\"%s\"\n", AP_LOG_EXEC);
#endif #endif
#ifdef AP_SAFE_PATH #ifdef AP_SAFE_PATH
@@ -440,7 +464,7 @@ @@ -440,7 +464,7 @@ int main(int argc, char *argv[])
* a UID less than AP_UID_MIN. Tsk tsk. * a UID less than AP_UID_MIN. Tsk tsk.
*/ */
if ((uid == 0) || (uid < AP_UID_MIN)) { if ((uid == 0) || (uid < AP_UID_MIN)) {
@ -82,7 +240,7 @@ http://svn.apache.org/viewvc?view=revision&revision=1341905
exit(107); exit(107);
} }
@@ -449,7 +473,7 @@ @@ -449,7 +473,7 @@ int main(int argc, char *argv[])
* or as a GID less than AP_GID_MIN. Tsk tsk. * or as a GID less than AP_GID_MIN. Tsk tsk.
*/ */
if ((gid == 0) || (gid < AP_GID_MIN)) { if ((gid == 0) || (gid < AP_GID_MIN)) {
@ -91,7 +249,7 @@ http://svn.apache.org/viewvc?view=revision&revision=1341905
exit(108); exit(108);
} }
@@ -460,7 +484,7 @@ @@ -460,7 +484,7 @@ int main(int argc, char *argv[])
* and setgid() to the target group. If unsuccessful, error out. * and setgid() to the target group. If unsuccessful, error out.
*/ */
if (((setgid(gid)) != 0) || (initgroups(actual_uname, gid) != 0)) { if (((setgid(gid)) != 0) || (initgroups(actual_uname, gid) != 0)) {
@ -100,7 +258,7 @@ http://svn.apache.org/viewvc?view=revision&revision=1341905
exit(109); exit(109);
} }
@@ -468,7 +492,7 @@ @@ -468,7 +492,7 @@ int main(int argc, char *argv[])
* setuid() to the target user. Error out on fail. * setuid() to the target user. Error out on fail.
*/ */
if ((setuid(uid)) != 0) { if ((setuid(uid)) != 0) {
@ -109,7 +267,7 @@ http://svn.apache.org/viewvc?view=revision&revision=1341905
exit(110); exit(110);
} }
@@ -556,11 +580,11 @@ @@ -556,11 +580,11 @@ int main(int argc, char *argv[])
(gid != dir_info.st_gid) || (gid != dir_info.st_gid) ||
(uid != prg_info.st_uid) || (uid != prg_info.st_uid) ||
(gid != prg_info.st_gid)) { (gid != prg_info.st_gid)) {
@ -126,7 +284,7 @@ http://svn.apache.org/viewvc?view=revision&revision=1341905
exit(120); exit(120);
} }
/* /*
@@ -585,6 +609,12 @@ @@ -585,6 +609,12 @@ int main(int argc, char *argv[])
#endif /* AP_SUEXEC_UMASK */ #endif /* AP_SUEXEC_UMASK */
/* Be sure to close the log file so the CGI can't mess with it. */ /* Be sure to close the log file so the CGI can't mess with it. */
@ -139,7 +297,7 @@ http://svn.apache.org/viewvc?view=revision&revision=1341905
if (log != NULL) { if (log != NULL) {
#if APR_HAVE_FCNTL_H #if APR_HAVE_FCNTL_H
/* /*
@@ -606,6 +636,7 @@ @@ -606,6 +636,7 @@ int main(int argc, char *argv[])
log = NULL; log = NULL;
#endif #endif
} }
@ -147,32 +305,3 @@ http://svn.apache.org/viewvc?view=revision&revision=1341905
/* /*
* Execute the command, replacing our image with its own. * Execute the command, replacing our image with its own.
--- httpd-2.4.2/configure.in
+++ httpd-2.4.2/configure.in
@@ -703,8 +703,25 @@
AC_ARG_WITH(suexec-logfile,
APACHE_HELP_STRING(--with-suexec-logfile,Set the logfile),[
- AC_DEFINE_UNQUOTED(AP_LOG_EXEC, "$withval", [SuExec log file] ) ] )
+ if test "x$withval" = "xyes"; then
+ AC_DEFINE_UNQUOTED(AP_LOG_EXEC, "$withval", [SuExec log file])
+ fi
+])
+AC_ARG_WITH(suexec-syslog,
+APACHE_HELP_STRING(--with-suexec-syslog,Set the logfile),[
+ if test $withval = "yes"; then
+ if test "x${with_suexec_logfile}" != "xno"; then
+ AC_MSG_NOTICE([hint: use "--without-suexec-logfile --with-suexec-syslog"])
+ AC_MSG_ERROR([suexec does not support both logging to file and syslog])
+ fi
+ AC_CHECK_FUNCS([vsyslog], [], [
+ AC_MSG_ERROR([cannot support syslog from suexec without vsyslog()])])
+ AC_DEFINE(AP_LOG_SYSLOG, 1, [SuExec log to syslog])
+ fi
+])
+
+
AC_ARG_WITH(suexec-safepath,
APACHE_HELP_STRING(--with-suexec-safepath,Set the safepath),[
AC_DEFINE_UNQUOTED(AP_SAFE_PATH, "$withval", [safe shell path for SuExec] ) ] )

View File

@ -8,7 +8,7 @@
Summary: Apache HTTP Server Summary: Apache HTTP Server
Name: httpd Name: httpd
Version: 2.4.2 Version: 2.4.2
Release: 8%{?dist} Release: 9%{?dist}
URL: http://httpd.apache.org/ URL: http://httpd.apache.org/
Source0: http://www.apache.org/dist/httpd/httpd-%{version}.tar.bz2 Source0: http://www.apache.org/dist/httpd/httpd-%{version}.tar.bz2
Source1: index.html Source1: index.html
@ -43,8 +43,7 @@ Patch20: httpd-2.0.48-release.patch
Patch23: httpd-2.4.1-export.patch Patch23: httpd-2.4.1-export.patch
Patch24: httpd-2.4.1-corelimit.patch Patch24: httpd-2.4.1-corelimit.patch
Patch25: httpd-2.4.1-selinux.patch Patch25: httpd-2.4.1-selinux.patch
Patch26: httpd-2.4.1-suenable.patch Patch26: httpd-2.4.2-r1337344+.patch
Patch27: httpd-2.4.2-r1337344+.patch
# Bug fixes # Bug fixes
Patch40: httpd-2.4.2-restart.patch Patch40: httpd-2.4.2-restart.patch
Patch41: httpd-2.4.2-r1327036+.patch Patch41: httpd-2.4.2-r1327036+.patch
@ -154,8 +153,7 @@ authentication to the Apache HTTP Server.
%patch23 -p1 -b .export %patch23 -p1 -b .export
%patch24 -p1 -b .corelimit %patch24 -p1 -b .corelimit
%patch25 -p1 -b .selinux %patch25 -p1 -b .selinux
%patch26 -p1 -b .suenable %patch26 -p1 -b .r1337344+
%patch27 -p1 -b .r1337344+
%patch40 -p1 -b .restart %patch40 -p1 -b .restart
%patch41 -p1 -b .r1327036+ %patch41 -p1 -b .r1327036+
@ -165,6 +163,9 @@ authentication to the Apache HTTP Server.
# Patch in vendor/release string # Patch in vendor/release string
sed "s/@RELEASE@/%{vstring}/" < %{PATCH20} | patch -p1 sed "s/@RELEASE@/%{vstring}/" < %{PATCH20} | patch -p1
# Prevent use of setcap in "install-suexec-caps" target.
sed -i '/suexec/s,setcap ,echo Skipping setcap for ,' Makefile.in
# Safety check: prevent build if defined MMN does not equal upstream MMN. # Safety check: prevent build if defined MMN does not equal upstream MMN.
vmmn=`echo MODULE_MAGIC_NUMBER_MAJOR | cpp -include include/ap_mmn.h | sed -n '/^2/p'` vmmn=`echo MODULE_MAGIC_NUMBER_MAJOR | cpp -include include/ap_mmn.h | sed -n '/^2/p'`
if test "x${vmmn}" != "x%{mmn}"; then if test "x${vmmn}" != "x%{mmn}"; then
@ -209,6 +210,7 @@ export LYNX_PATH=/usr/bin/links
--enable-mpms-shared=all \ --enable-mpms-shared=all \
--with-apr=%{_prefix} --with-apr-util=%{_prefix} \ --with-apr=%{_prefix} --with-apr-util=%{_prefix} \
--enable-suexec --with-suexec \ --enable-suexec --with-suexec \
--enable-suexec-capabilities \
--with-suexec-caller=%{suexec_caller} \ --with-suexec-caller=%{suexec_caller} \
--with-suexec-docroot=%{docroot} \ --with-suexec-docroot=%{docroot} \
--without-suexec-logfile \ --without-suexec-logfile \
@ -375,9 +377,6 @@ rm -vf \
rm -rf $RPM_BUILD_ROOT/etc/httpd/conf/{original,extra} rm -rf $RPM_BUILD_ROOT/etc/httpd/conf/{original,extra}
# Make suexec a+rw so it can be stripped. %%files lists real permissions
chmod 755 $RPM_BUILD_ROOT%{_sbindir}/suexec
%pre %pre
# Add the "apache" user # Add the "apache" user
/usr/sbin/useradd -c "Apache" -u 48 \ /usr/sbin/useradd -c "Apache" -u 48 \
@ -564,6 +563,9 @@ rm -rf $RPM_BUILD_ROOT
%{_sysconfdir}/rpm/macros.httpd %{_sysconfdir}/rpm/macros.httpd
%changelog %changelog
* Wed May 23 2012 Joe Orton <jorton@redhat.com> - 2.4.2-9
- suexec: use upstream version of patch for capability bit support
* Wed May 23 2012 Joe Orton <jorton@redhat.com> - 2.4.2-8 * Wed May 23 2012 Joe Orton <jorton@redhat.com> - 2.4.2-8
- suexec: use syslog rather than suexec.log, drop dac_override capability - suexec: use syslog rather than suexec.log, drop dac_override capability