Raphaël G. Git Repositories - ihttpd/blob - SOURCES/httpd-2.4.4-r1337344+.patch

   1 # ./pullrev.sh 1337344 1341905 1342065 1341930
   2
   3 suexec enhancements:
   4
   5 1) use syslog for logging
   6 2) use capabilities not setuid/setgid root binary
   7
   8 http://svn.apache.org/viewvc?view=revision&revision=1337344
   9 http://svn.apache.org/viewvc?view=revision&revision=1341905
  10 http://svn.apache.org/viewvc?view=revision&revision=1342065
  11 http://svn.apache.org/viewvc?view=revision&revision=1341930
  12
  13 --- httpd-2.4.4/configure.in.r1337344+
  14 +++ httpd-2.4.4/configure.in
  15 @@ -734,7 +734,24 @@ APACHE_HELP_STRING(--with-suexec-gidmin,
  16
  17  AC_ARG_WITH(suexec-logfile,
  18  APACHE_HELP_STRING(--with-suexec-logfile,Set the logfile),[
  19 -  AC_DEFINE_UNQUOTED(AP_LOG_EXEC, "$withval", [SuExec log file] ) ] )
  20 +  if test "x$withval" = "xyes"; then
  21 +    AC_DEFINE_UNQUOTED(AP_LOG_EXEC, "$withval", [SuExec log file])
  22 +  fi
  23 +])
  24 +
  25 +AC_ARG_WITH(suexec-syslog,
  26 +APACHE_HELP_STRING(--with-suexec-syslog,Set the logfile),[
  27 +  if test $withval = "yes"; then
  28 +    if test "x${with_suexec_logfile}" != "xno"; then
  29 +      AC_MSG_NOTICE([hint: use "--without-suexec-logfile --with-suexec-syslog"])
  30 +      AC_MSG_ERROR([suexec does not support both logging to file and syslog])
  31 +    fi
  32 +    AC_CHECK_FUNCS([vsyslog], [], [
  33 +       AC_MSG_ERROR([cannot support syslog from suexec without vsyslog()])])
  34 +    AC_DEFINE(AP_LOG_SYSLOG, 1, [SuExec log to syslog])
  35 +  fi
  36 +])
  37 +
  38
  39  AC_ARG_WITH(suexec-safepath,
  40  APACHE_HELP_STRING(--with-suexec-safepath,Set the safepath),[
  41 @@ -744,6 +761,15 @@ AC_ARG_WITH(suexec-umask,
  42  APACHE_HELP_STRING(--with-suexec-umask,umask for suexec'd process),[
  43    AC_DEFINE_UNQUOTED(AP_SUEXEC_UMASK, 0$withval, [umask for suexec'd process] ) ] )
  44
  45 +INSTALL_SUEXEC=setuid
  46 +AC_ARG_ENABLE([suexec-capabilities],
  47 +APACHE_HELP_STRING(--enable-suexec-capabilities,Use Linux capability bits not setuid root suexec), [
  48 +INSTALL_SUEXEC=caps
  49 +AC_DEFINE(AP_SUEXEC_CAPABILITIES, 1,
  50 +          [Enable if suexec is installed with Linux capabilities, not setuid])
  51 +])
  52 +APACHE_SUBST(INSTALL_SUEXEC)
  53 +
  54  dnl APR should go after the other libs, so the right symbols can be picked up
  55  if test x${apu_found} != xobsolete; then
  56    AP_LIBS="$AP_LIBS `$apu_config --avoid-ldap --link-libtool`"
  57 --- httpd-2.4.4/docs/manual/suexec.html.en.r1337344+
  58 +++ httpd-2.4.4/docs/manual/suexec.html.en
  59 @@ -372,6 +372,21 @@
  60        together with the <code>--enable-suexec</code> option to let
  61        APACI accept your request for using the suEXEC feature.</dd>
  62
  63 +      <dt><code>--enable-suexec-capabilities</code></dt>
  64 +
  65 +      <dd><strong>Linux specific:</strong> Normally,
  66 +      the <code>suexec</code> binary is installed "setuid/setgid
  67 +      root", which allows it to run with the full privileges of the
  68 +      root user.  If this option is used, the <code>suexec</code>
  69 +      binary will instead be installed with only the setuid/setgid
  70 +      "capability" bits set, which is the subset of full root
  71 +      priviliges required for suexec operation.  Note that
  72 +      the <code>suexec</code> binary may not be able to write to a log
  73 +      file in this mode; it is recommended that the
  74 +      <code>--with-suexec-syslog --without-suexec-logfile</code>
  75 +      options are used in conjunction with this mode, so that syslog
  76 +      logging is used instead.</dd>
  77 +
  78        <dt><code>--with-suexec-bin=<em>PATH</em></code></dt>
  79
  80        <dd>The path to the <code>suexec</code> binary must be hard-coded
  81 @@ -433,6 +448,12 @@
  82        "<code>suexec_log</code>" and located in your standard logfile
  83        directory (<code>--logfiledir</code>).</dd>
  84
  85 +      <dt><code>--with-suexec-syslog</code></dt>
  86 +
  87 +      <dd>If defined, suexec will log notices and errors to syslog
  88 +      instead of a logfile.  This option must be combined
  89 +      with <code>--without-suexec-logfile</code>.</dd>
  90 +
  91        <dt><code>--with-suexec-safepath=<em>PATH</em></code></dt>
  92
  93        <dd>Define a safe PATH environment to pass to CGI
  94 @@ -550,9 +571,12 @@ Group webgroup
  95
  96      <p>The suEXEC wrapper will write log information
  97      to the file defined with the <code>--with-suexec-logfile</code>
  98 -    option as indicated above. If you feel you have configured and
  99 -    installed the wrapper properly, have a look at this log and the
 100 -    error_log for the server to see where you may have gone astray.</p>
 101 +    option as indicated above, or to syslog if <code>--with-suexec-syslog</code>
 102 +    is used. If you feel you have configured and
 103 +    installed the wrapper properly, have a look at the log and the
 104 +    error_log for the server to see where you may have gone astray.
 105 +    The output of <code>"suexec -V"</code> will show the options
 106 +    used to compile suexec, if using a binary distribution.</p>
 107
 108  </div><div class="top"><a href="#page-header"><img alt="top" src="./images/up.gif" /></a></div>
 109  <div class="section">
 110 @@ -640,4 +664,4 @@ if (typeof(prettyPrint) !== 'undefined')
 111      prettyPrint();
 112  }
 113  //--><!]]></script>
 114 -</body></html>
 115 \ No newline at end of file
 116 +</body></html>
 117 --- httpd-2.4.4/Makefile.in.r1337344+
 118 +++ httpd-2.4.4/Makefile.in
 119 @@ -238,11 +238,22 @@ install-man:
 120           cd $(DESTDIR)$(manualdir) && find . -name ".svn" -type d -print | xargs rm -rf 2>/dev/null || true; \
 121         fi
 122
 123 -install-suexec:
 124 +install-suexec: install-suexec-binary install-suexec-$(INSTALL_SUEXEC)
 125 +
 126 +install-suexec-binary:
 127         @if test -f $(builddir)/support/suexec; then \
 128              test -d $(DESTDIR)$(sbindir) || $(MKINSTALLDIRS) $(DESTDIR)$(sbindir); \
 129              $(INSTALL_PROGRAM) $(top_builddir)/support/suexec $(DESTDIR)$(sbindir); \
 130 -            chmod 4755 $(DESTDIR)$(sbindir)/suexec; \
 131 +       fi
 132 +
 133 +install-suexec-setuid:
 134 +       @if test -f $(builddir)/support/suexec; then \
 135 +           chmod 4755 $(DESTDIR)$(sbindir)/suexec; \
 136 +       fi
 137 +
 138 +install-suexec-caps:
 139 +       @if test -f $(builddir)/support/suexec; then \
 140 +            setcap 'cap_setuid,cap_setgid+pe' $(DESTDIR)$(sbindir)/suexec; \
 141         fi
 142
 143  suexec:
 144 --- httpd-2.4.4/modules/arch/unix/mod_unixd.c.r1337344+
 145 +++ httpd-2.4.4/modules/arch/unix/mod_unixd.c
 146 @@ -284,6 +284,13 @@ unixd_set_suexec(cmd_parms *cmd, void *d
 147      return NULL;
 148  }
 149
 150 +#ifdef AP_SUEXEC_CAPABILITIES
 151 +/* If suexec is using capabilities, don't test for the setuid bit. */
 152 +#define SETUID_TEST(finfo) (1)
 153 +#else
 154 +#define SETUID_TEST(finfo) (finfo.protection & APR_USETID)
 155 +#endif
 156 +
 157  static int
 158  unixd_pre_config(apr_pool_t *pconf, apr_pool_t *plog,
 159                   apr_pool_t *ptemp)
 160 @@ -300,7 +307,7 @@ unixd_pre_config(apr_pool_t *pconf, apr_
 161      ap_unixd_config.suexec_enabled = 0;
 162      if ((apr_stat(&wrapper, SUEXEC_BIN, APR_FINFO_NORM, ptemp))
 163           == APR_SUCCESS) {
 164 -        if ((wrapper.protection & APR_USETID) && wrapper.user == 0
 165 +        if (SETUID_TEST(wrapper) && wrapper.user == 0
 166              && (access(SUEXEC_BIN, R_OK|X_OK) == 0)) {
 167              ap_unixd_config.suexec_enabled = 1;
 168              ap_unixd_config.suexec_disabled_reason = "";
 169 --- httpd-2.4.4/support/suexec.c.r1337344+
 170 +++ httpd-2.4.4/support/suexec.c
 171 @@ -58,6 +58,10 @@
 172  #include <grp.h>
 173  #endif
 174
 175 +#ifdef AP_LOG_SYSLOG
 176 +#include <syslog.h>
 177 +#endif
 178 +
 179  #if defined(PATH_MAX)
 180  #define AP_MAXPATH PATH_MAX
 181  #elif defined(MAXPATHLEN)
 182 @@ -69,7 +73,20 @@
 183  #define AP_ENVBUF 256
 184
 185  extern char **environ;
 186 +
 187 +#ifdef AP_LOG_SYSLOG
 188 +/* Syslog support. */
 189 +#if !defined(AP_LOG_FACILITY) && defined(LOG_AUTHPRIV)
 190 +#define AP_LOG_FACILITY LOG_AUTHPRIV
 191 +#elif !defined(AP_LOG_FACILITY)
 192 +#define AP_LOG_FACILITY LOG_AUTH
 193 +#endif
 194 +
 195 +static int log_open;
 196 +#else
 197 +/* Non-syslog support. */
 198  static FILE *log = NULL;
 199 +#endif
 200
 201  static const char *const safe_env_lst[] =
 202  {
 203 @@ -137,7 +154,14 @@ static void err_output(int is_error, con
 204
 205  static void err_output(int is_error, const char *fmt, va_list ap)
 206  {
 207 -#ifdef AP_LOG_EXEC
 208 +#if defined(AP_LOG_SYSLOG)
 209 +    if (!log_open) {
 210 +        openlog("suexec", LOG_PID, AP_LOG_FACILITY);
 211 +        log_open = 1;
 212 +    }
 213 +
 214 +    vsyslog(is_error ? LOG_ERR : LOG_INFO, fmt, ap);
 215 +#elif defined(AP_LOG_EXEC)
 216      time_t timevar;
 217      struct tm *lt;
 218
 219 @@ -295,7 +319,9 @@ int main(int argc, char *argv[])
 220  #ifdef AP_HTTPD_USER
 221          fprintf(stderr, " -D AP_HTTPD_USER=\"%s\"\n", AP_HTTPD_USER);
 222  #endif
 223 -#ifdef AP_LOG_EXEC
 224 +#if defined(AP_LOG_SYSLOG)
 225 +        fprintf(stderr, " -D AP_LOG_SYSLOG\n");
 226 +#elif defined(AP_LOG_EXEC)
 227          fprintf(stderr, " -D AP_LOG_EXEC=\"%s\"\n", AP_LOG_EXEC);
 228  #endif
 229  #ifdef AP_SAFE_PATH
 230 @@ -591,6 +617,12 @@ int main(int argc, char *argv[])
 231  #endif /* AP_SUEXEC_UMASK */
 232
 233      /* Be sure to close the log file so the CGI can't mess with it. */
 234 +#ifdef AP_LOG_SYSLOG
 235 +    if (log_open) {
 236 +        closelog();
 237 +        log_open = 0;
 238 +    }
 239 +#else
 240      if (log != NULL) {
 241  #if APR_HAVE_FCNTL_H
 242          /*
 243 @@ -612,6 +644,7 @@ int main(int argc, char *argv[])
 244          log = NULL;
 245  #endif
 246      }
 247 +#endif
 248
 249      /*
 250       * Execute the command, replacing our image with its own.