]> Raphaƫl G. Git Repositories - ihttpd/blob - SOURCES/httpd-2.4.4-r1337344+.patch
Version 2.4.62
[ihttpd] / SOURCES / httpd-2.4.4-r1337344+.patch
1 # ./pullrev.sh 1337344 1341905 1342065 1341930
2
3 suexec enhancements:
4
5 1) use syslog for logging
6 2) use capabilities not setuid/setgid root binary
7
8 http://svn.apache.org/viewvc?view=revision&revision=1337344
9 http://svn.apache.org/viewvc?view=revision&revision=1341905
10 http://svn.apache.org/viewvc?view=revision&revision=1342065
11 http://svn.apache.org/viewvc?view=revision&revision=1341930
12
13 --- httpd-2.4.4/configure.in.r1337344+
14 +++ httpd-2.4.4/configure.in
15 @@ -734,7 +734,24 @@ APACHE_HELP_STRING(--with-suexec-gidmin,
16
17 AC_ARG_WITH(suexec-logfile,
18 APACHE_HELP_STRING(--with-suexec-logfile,Set the logfile),[
19 - AC_DEFINE_UNQUOTED(AP_LOG_EXEC, "$withval", [SuExec log file] ) ] )
20 + if test "x$withval" = "xyes"; then
21 + AC_DEFINE_UNQUOTED(AP_LOG_EXEC, "$withval", [SuExec log file])
22 + fi
23 +])
24 +
25 +AC_ARG_WITH(suexec-syslog,
26 +APACHE_HELP_STRING(--with-suexec-syslog,Set the logfile),[
27 + if test $withval = "yes"; then
28 + if test "x${with_suexec_logfile}" != "xno"; then
29 + AC_MSG_NOTICE([hint: use "--without-suexec-logfile --with-suexec-syslog"])
30 + AC_MSG_ERROR([suexec does not support both logging to file and syslog])
31 + fi
32 + AC_CHECK_FUNCS([vsyslog], [], [
33 + AC_MSG_ERROR([cannot support syslog from suexec without vsyslog()])])
34 + AC_DEFINE(AP_LOG_SYSLOG, 1, [SuExec log to syslog])
35 + fi
36 +])
37 +
38
39 AC_ARG_WITH(suexec-safepath,
40 APACHE_HELP_STRING(--with-suexec-safepath,Set the safepath),[
41 @@ -744,6 +761,15 @@ AC_ARG_WITH(suexec-umask,
42 APACHE_HELP_STRING(--with-suexec-umask,umask for suexec'd process),[
43 AC_DEFINE_UNQUOTED(AP_SUEXEC_UMASK, 0$withval, [umask for suexec'd process] ) ] )
44
45 +INSTALL_SUEXEC=setuid
46 +AC_ARG_ENABLE([suexec-capabilities],
47 +APACHE_HELP_STRING(--enable-suexec-capabilities,Use Linux capability bits not setuid root suexec), [
48 +INSTALL_SUEXEC=caps
49 +AC_DEFINE(AP_SUEXEC_CAPABILITIES, 1,
50 + [Enable if suexec is installed with Linux capabilities, not setuid])
51 +])
52 +APACHE_SUBST(INSTALL_SUEXEC)
53 +
54 dnl APR should go after the other libs, so the right symbols can be picked up
55 if test x${apu_found} != xobsolete; then
56 AP_LIBS="$AP_LIBS `$apu_config --avoid-ldap --link-libtool`"
57 --- httpd-2.4.4/docs/manual/suexec.html.en.r1337344+
58 +++ httpd-2.4.4/docs/manual/suexec.html.en
59 @@ -372,6 +372,21 @@
60 together with the <code>--enable-suexec</code> option to let
61 APACI accept your request for using the suEXEC feature.</dd>
62
63 + <dt><code>--enable-suexec-capabilities</code></dt>
64 +
65 + <dd><strong>Linux specific:</strong> Normally,
66 + the <code>suexec</code> binary is installed "setuid/setgid
67 + root", which allows it to run with the full privileges of the
68 + root user. If this option is used, the <code>suexec</code>
69 + binary will instead be installed with only the setuid/setgid
70 + "capability" bits set, which is the subset of full root
71 + priviliges required for suexec operation. Note that
72 + the <code>suexec</code> binary may not be able to write to a log
73 + file in this mode; it is recommended that the
74 + <code>--with-suexec-syslog --without-suexec-logfile</code>
75 + options are used in conjunction with this mode, so that syslog
76 + logging is used instead.</dd>
77 +
78 <dt><code>--with-suexec-bin=<em>PATH</em></code></dt>
79
80 <dd>The path to the <code>suexec</code> binary must be hard-coded
81 @@ -433,6 +448,12 @@
82 "<code>suexec_log</code>" and located in your standard logfile
83 directory (<code>--logfiledir</code>).</dd>
84
85 + <dt><code>--with-suexec-syslog</code></dt>
86 +
87 + <dd>If defined, suexec will log notices and errors to syslog
88 + instead of a logfile. This option must be combined
89 + with <code>--without-suexec-logfile</code>.</dd>
90 +
91 <dt><code>--with-suexec-safepath=<em>PATH</em></code></dt>
92
93 <dd>Define a safe PATH environment to pass to CGI
94 @@ -550,9 +571,12 @@ Group webgroup
95
96 <p>The suEXEC wrapper will write log information
97 to the file defined with the <code>--with-suexec-logfile</code>
98 - option as indicated above. If you feel you have configured and
99 - installed the wrapper properly, have a look at this log and the
100 - error_log for the server to see where you may have gone astray.</p>
101 + option as indicated above, or to syslog if <code>--with-suexec-syslog</code>
102 + is used. If you feel you have configured and
103 + installed the wrapper properly, have a look at the log and the
104 + error_log for the server to see where you may have gone astray.
105 + The output of <code>"suexec -V"</code> will show the options
106 + used to compile suexec, if using a binary distribution.</p>
107
108 </div><div class="top"><a href="#page-header"><img alt="top" src="./images/up.gif" /></a></div>
109 <div class="section">
110 @@ -640,4 +664,4 @@ if (typeof(prettyPrint) !== 'undefined')
111 prettyPrint();
112 }
113 //--><!]]></script>
114 -</body></html>
115 \ No newline at end of file
116 +</body></html>
117 --- httpd-2.4.4/Makefile.in.r1337344+
118 +++ httpd-2.4.4/Makefile.in
119 @@ -238,11 +238,22 @@ install-man:
120 cd $(DESTDIR)$(manualdir) && find . -name ".svn" -type d -print | xargs rm -rf 2>/dev/null || true; \
121 fi
122
123 -install-suexec:
124 +install-suexec: install-suexec-binary install-suexec-$(INSTALL_SUEXEC)
125 +
126 +install-suexec-binary:
127 @if test -f $(builddir)/support/suexec; then \
128 test -d $(DESTDIR)$(sbindir) || $(MKINSTALLDIRS) $(DESTDIR)$(sbindir); \
129 $(INSTALL_PROGRAM) $(top_builddir)/support/suexec $(DESTDIR)$(sbindir); \
130 - chmod 4755 $(DESTDIR)$(sbindir)/suexec; \
131 + fi
132 +
133 +install-suexec-setuid:
134 + @if test -f $(builddir)/support/suexec; then \
135 + chmod 4755 $(DESTDIR)$(sbindir)/suexec; \
136 + fi
137 +
138 +install-suexec-caps:
139 + @if test -f $(builddir)/support/suexec; then \
140 + setcap 'cap_setuid,cap_setgid+pe' $(DESTDIR)$(sbindir)/suexec; \
141 fi
142
143 suexec:
144 --- httpd-2.4.4/modules/arch/unix/mod_unixd.c.r1337344+
145 +++ httpd-2.4.4/modules/arch/unix/mod_unixd.c
146 @@ -284,6 +284,13 @@ unixd_set_suexec(cmd_parms *cmd, void *d
147 return NULL;
148 }
149
150 +#ifdef AP_SUEXEC_CAPABILITIES
151 +/* If suexec is using capabilities, don't test for the setuid bit. */
152 +#define SETUID_TEST(finfo) (1)
153 +#else
154 +#define SETUID_TEST(finfo) (finfo.protection & APR_USETID)
155 +#endif
156 +
157 static int
158 unixd_pre_config(apr_pool_t *pconf, apr_pool_t *plog,
159 apr_pool_t *ptemp)
160 @@ -300,7 +307,7 @@ unixd_pre_config(apr_pool_t *pconf, apr_
161 ap_unixd_config.suexec_enabled = 0;
162 if ((apr_stat(&wrapper, SUEXEC_BIN, APR_FINFO_NORM, ptemp))
163 == APR_SUCCESS) {
164 - if ((wrapper.protection & APR_USETID) && wrapper.user == 0
165 + if (SETUID_TEST(wrapper) && wrapper.user == 0
166 && (access(SUEXEC_BIN, R_OK|X_OK) == 0)) {
167 ap_unixd_config.suexec_enabled = 1;
168 ap_unixd_config.suexec_disabled_reason = "";
169 --- httpd-2.4.4/support/suexec.c.r1337344+
170 +++ httpd-2.4.4/support/suexec.c
171 @@ -58,6 +58,10 @@
172 #include <grp.h>
173 #endif
174
175 +#ifdef AP_LOG_SYSLOG
176 +#include <syslog.h>
177 +#endif
178 +
179 #if defined(PATH_MAX)
180 #define AP_MAXPATH PATH_MAX
181 #elif defined(MAXPATHLEN)
182 @@ -69,7 +73,20 @@
183 #define AP_ENVBUF 256
184
185 extern char **environ;
186 +
187 +#ifdef AP_LOG_SYSLOG
188 +/* Syslog support. */
189 +#if !defined(AP_LOG_FACILITY) && defined(LOG_AUTHPRIV)
190 +#define AP_LOG_FACILITY LOG_AUTHPRIV
191 +#elif !defined(AP_LOG_FACILITY)
192 +#define AP_LOG_FACILITY LOG_AUTH
193 +#endif
194 +
195 +static int log_open;
196 +#else
197 +/* Non-syslog support. */
198 static FILE *log = NULL;
199 +#endif
200
201 static const char *const safe_env_lst[] =
202 {
203 @@ -137,7 +154,14 @@ static void err_output(int is_error, con
204
205 static void err_output(int is_error, const char *fmt, va_list ap)
206 {
207 -#ifdef AP_LOG_EXEC
208 +#if defined(AP_LOG_SYSLOG)
209 + if (!log_open) {
210 + openlog("suexec", LOG_PID, AP_LOG_FACILITY);
211 + log_open = 1;
212 + }
213 +
214 + vsyslog(is_error ? LOG_ERR : LOG_INFO, fmt, ap);
215 +#elif defined(AP_LOG_EXEC)
216 time_t timevar;
217 struct tm *lt;
218
219 @@ -295,7 +319,9 @@ int main(int argc, char *argv[])
220 #ifdef AP_HTTPD_USER
221 fprintf(stderr, " -D AP_HTTPD_USER=\"%s\"\n", AP_HTTPD_USER);
222 #endif
223 -#ifdef AP_LOG_EXEC
224 +#if defined(AP_LOG_SYSLOG)
225 + fprintf(stderr, " -D AP_LOG_SYSLOG\n");
226 +#elif defined(AP_LOG_EXEC)
227 fprintf(stderr, " -D AP_LOG_EXEC=\"%s\"\n", AP_LOG_EXEC);
228 #endif
229 #ifdef AP_SAFE_PATH
230 @@ -591,6 +617,12 @@ int main(int argc, char *argv[])
231 #endif /* AP_SUEXEC_UMASK */
232
233 /* Be sure to close the log file so the CGI can't mess with it. */
234 +#ifdef AP_LOG_SYSLOG
235 + if (log_open) {
236 + closelog();
237 + log_open = 0;
238 + }
239 +#else
240 if (log != NULL) {
241 #if APR_HAVE_FCNTL_H
242 /*
243 @@ -612,6 +644,7 @@ int main(int argc, char *argv[])
244 log = NULL;
245 #endif
246 }
247 +#endif
248
249 /*
250 * Execute the command, replacing our image with its own.