diff options
| author | Joe Orton <jorton@redhat.com> | 2012-05-31 14:30:39 +0100 |
|---|---|---|
| committer | Joe Orton <jorton@redhat.com> | 2012-05-31 14:30:39 +0100 |
| commit | 969baf89f0c3a2b780ea1665d5ba9bed30854084 (patch) | |
| tree | 975c2e79b2ad6142ba402161a18d74b0797e8fcd | |
| parent | ddd6f9f031c0e1028acf403da4289e5d18a4aac8 (diff) | |
| download | httpd-969baf89f0c3a2b780ea1665d5ba9bed30854084.tar.gz httpd-969baf89f0c3a2b780ea1665d5ba9bed30854084.tar.xz httpd-969baf89f0c3a2b780ea1665d5ba9bed30854084.zip | |
update suexec patch to use LOG_AUTHPRIV facility
| -rw-r--r-- | httpd-2.4.2-r1337344+.patch | 365 | ||||
| -rw-r--r-- | httpd.spec | 5 |
2 files changed, 200 insertions, 170 deletions
diff --git a/httpd-2.4.2-r1337344+.patch b/httpd-2.4.2-r1337344+.patch index d569dbf..df277dd 100644 --- a/httpd-2.4.2-r1337344+.patch +++ b/httpd-2.4.2-r1337344+.patch @@ -1,3 +1,4 @@ +# ./pullrev.sh 1337344 1341905 1342065 1341930 1344712 suexec enhancements: @@ -9,163 +10,9 @@ http://svn.apache.org/viewvc?view=revision&revision=1341905 http://svn.apache.org/viewvc?view=revision&revision=1342065 http://svn.apache.org/viewvc?view=revision&revision=1341930 ---- httpd-2.4.2/configure.in.r1337344+ -+++ httpd-2.4.2/configure.in -@@ -700,7 +700,24 @@ APACHE_HELP_STRING(--with-suexec-gidmin, - - AC_ARG_WITH(suexec-logfile, - APACHE_HELP_STRING(--with-suexec-logfile,Set the logfile),[ -- AC_DEFINE_UNQUOTED(AP_LOG_EXEC, "$withval", [SuExec log file] ) ] ) -+ if test "x$withval" = "xyes"; then -+ AC_DEFINE_UNQUOTED(AP_LOG_EXEC, "$withval", [SuExec log file]) -+ fi -+]) -+ -+AC_ARG_WITH(suexec-syslog, -+APACHE_HELP_STRING(--with-suexec-syslog,Set the logfile),[ -+ if test $withval = "yes"; then -+ if test "x${with_suexec_logfile}" != "xno"; then -+ AC_MSG_NOTICE([hint: use "--without-suexec-logfile --with-suexec-syslog"]) -+ AC_MSG_ERROR([suexec does not support both logging to file and syslog]) -+ fi -+ AC_CHECK_FUNCS([vsyslog], [], [ -+ AC_MSG_ERROR([cannot support syslog from suexec without vsyslog()])]) -+ AC_DEFINE(AP_LOG_SYSLOG, 1, [SuExec log to syslog]) -+ fi -+]) -+ - - AC_ARG_WITH(suexec-safepath, - APACHE_HELP_STRING(--with-suexec-safepath,Set the safepath),[ -@@ -710,6 +727,15 @@ AC_ARG_WITH(suexec-umask, - APACHE_HELP_STRING(--with-suexec-umask,umask for suexec'd process),[ - AC_DEFINE_UNQUOTED(AP_SUEXEC_UMASK, 0$withval, [umask for suexec'd process] ) ] ) - -+INSTALL_SUEXEC=setuid -+AC_ARG_ENABLE([suexec-capabilities], -+APACHE_HELP_STRING(--enable-suexec-capabilities,Use Linux capability bits not setuid root suexec), [ -+INSTALL_SUEXEC=caps -+AC_DEFINE(AP_SUEXEC_CAPABILITIES, 1, -+ [Enable if suexec is installed with Linux capabilities, not setuid]) -+]) -+APACHE_SUBST(INSTALL_SUEXEC) -+ - dnl APR should go after the other libs, so the right symbols can be picked up - if test x${apu_found} != xobsolete; then - AP_LIBS="$AP_LIBS `$apu_config --avoid-ldap --link-libtool`" ---- httpd-2.4.2/docs/manual/suexec.html.en.r1337344+ -+++ httpd-2.4.2/docs/manual/suexec.html.en -@@ -369,6 +369,21 @@ - together with the <code>--enable-suexec</code> option to let - APACI accept your request for using the suEXEC feature.</dd> - -+ <dt><code>--enable-suexec-capabilities</code></dt> -+ -+ <dd><strong>Linux specific:</strong> Normally, -+ the <code>suexec</code> binary is installed "setuid/setgid -+ root", which allows it to run with the full privileges of the -+ root user. If this option is used, the <code>suexec</code> -+ binary will instead be installed with only the setuid/setgid -+ "capability" bits set, which is the subset of full root -+ priviliges required for suexec operation. Note that -+ the <code>suexec</code> binary may not be able to write to a log -+ file in this mode; it is recommended that the -+ <code>--with-suexec-syslog --without-suexec-logfile</code> -+ options are used in conjunction with this mode, so that syslog -+ logging is used instead.</dd> -+ - <dt><code>--with-suexec-bin=<em>PATH</em></code></dt> - - <dd>The path to the <code>suexec</code> binary must be hard-coded -@@ -430,6 +445,12 @@ - "<code>suexec_log</code>" and located in your standard logfile - directory (<code>--logfiledir</code>).</dd> - -+ <dt><code>--with-suexec-syslog</code></dt> -+ -+ <dd>If defined, suexec will log notices and errors to syslog -+ instead of a logfile. This option must be combined -+ with <code>--without-suexec-logfile</code>.</dd> -+ - <dt><code>--with-suexec-safepath=<em>PATH</em></code></dt> - - <dd>Define a safe PATH environment to pass to CGI -@@ -546,9 +567,12 @@ - - <p>The suEXEC wrapper will write log information - to the file defined with the <code>--with-suexec-logfile</code> -- option as indicated above. If you feel you have configured and -- installed the wrapper properly, have a look at this log and the -- error_log for the server to see where you may have gone astray.</p> -+ option as indicated above, or to syslog if <code>--with-suexec-syslog</code> -+ is used. If you feel you have configured and -+ installed the wrapper properly, have a look at the log and the -+ error_log for the server to see where you may have gone astray. -+ The output of <code>"suexec -V"</code> will show the options -+ used to compile suexec, if using a binary distribution.</p> - - </div><div class="top"><a href="#page-header"><img alt="top" src="./images/up.gif" /></a></div> - <div class="section"> -@@ -615,4 +639,4 @@ - </div><div id="footer"> - <p class="apache">Copyright 2012 The Apache Software Foundation.<br />Licensed under the <a href="http://www.apache.org/licenses/LICENSE-2.0">Apache License, Version 2.0</a>.</p> - <p class="menu"><a href="./mod/">Modules</a> | <a href="./mod/directives.html">Directives</a> | <a href="./faq/">FAQ</a> | <a href="./glossary.html">Glossary</a> | <a href="./sitemap.html">Sitemap</a></p></div> --</body></html> -\ No newline at end of file -+</body></html> ---- httpd-2.4.2/Makefile.in.r1337344+ -+++ httpd-2.4.2/Makefile.in -@@ -236,11 +236,22 @@ install-man: - cd $(DESTDIR)$(manualdir) && find . -name ".svn" -type d -print | xargs rm -rf 2>/dev/null || true; \ - fi - --install-suexec: -+install-suexec: install-suexec-binary install-suexec-$(INSTALL_SUEXEC) -+ -+install-suexec-binary: - @if test -f $(builddir)/support/suexec; then \ - test -d $(DESTDIR)$(sbindir) || $(MKINSTALLDIRS) $(DESTDIR)$(sbindir); \ - $(INSTALL_PROGRAM) $(top_builddir)/support/suexec $(DESTDIR)$(sbindir); \ -- chmod 4755 $(DESTDIR)$(sbindir)/suexec; \ -+ fi -+ -+install-suexec-setuid: -+ @if test -f $(builddir)/support/suexec; then \ -+ chmod 4755 $(DESTDIR)$(sbindir)/suexec; \ -+ fi -+ -+install-suexec-caps: -+ @if test -f $(builddir)/support/suexec; then \ -+ setcap 'cap_setuid,cap_setgid+pe' $(DESTDIR)$(sbindir)/suexec; \ - fi - - suexec: ---- httpd-2.4.2/modules/arch/unix/mod_unixd.c.r1337344+ -+++ httpd-2.4.2/modules/arch/unix/mod_unixd.c -@@ -284,6 +284,13 @@ unixd_set_suexec(cmd_parms *cmd, void *d - return NULL; - } - -+#ifdef AP_SUEXEC_CAPABILITIES -+/* If suexec is using capabilities, don't test for the setuid bit. */ -+#define SETUID_TEST(finfo) (1) -+#else -+#define SETUID_TEST(finfo) (finfo.protection & APR_USETID) -+#endif -+ - static int - unixd_pre_config(apr_pool_t *pconf, apr_pool_t *plog, - apr_pool_t *ptemp) -@@ -300,7 +307,7 @@ unixd_pre_config(apr_pool_t *pconf, apr_ - ap_unixd_config.suexec_enabled = 0; - if ((apr_stat(&wrapper, SUEXEC_BIN, APR_FINFO_NORM, ptemp)) - == APR_SUCCESS) { -- if ((wrapper.protection & APR_USETID) && wrapper.user == 0 -+ if (SETUID_TEST(wrapper) && wrapper.user == 0 - && (access(SUEXEC_BIN, R_OK|X_OK) == 0)) { - ap_unixd_config.suexec_enabled = 1; - ap_unixd_config.suexec_disabled_reason = ""; ---- httpd-2.4.2/support/suexec.c.r1337344+ +http://svn.apache.org/viewvc?view=revision&revision=1344712 + +--- httpd-2.4.2/support/suexec.c +++ httpd-2.4.2/support/suexec.c @@ -58,6 +58,10 @@ #include <grp.h> @@ -178,20 +25,28 @@ http://svn.apache.org/viewvc?view=revision&revision=1341930 #if defined(PATH_MAX) #define AP_MAXPATH PATH_MAX #elif defined(MAXPATHLEN) -@@ -69,7 +73,12 @@ +@@ -69,7 +73,20 @@ #define AP_ENVBUF 256 extern char **environ; + +#ifdef AP_LOG_SYSLOG ++/* Syslog support. */ ++#if !defined(AP_LOG_FACILITY) && defined(LOG_AUTHPRIV) ++#define AP_LOG_FACILITY LOG_AUTHPRIV ++#elif !defined(AP_LOG_FACILITY) ++#define AP_LOG_FACILITY LOG_AUTH ++#endif ++ +static int log_open; +#else ++/* Non-syslog support. */ static FILE *log = NULL; +#endif static const char *const safe_env_lst[] = { -@@ -128,10 +137,23 @@ static const char *const safe_env_lst[] +@@ -128,10 +145,23 @@ NULL }; @@ -207,7 +62,7 @@ http://svn.apache.org/viewvc?view=revision&revision=1341930 -#ifdef AP_LOG_EXEC +#if defined(AP_LOG_SYSLOG) + if (!log_open) { -+ openlog("suexec", LOG_PID, LOG_DAEMON); ++ openlog("suexec", LOG_PID, AP_LOG_FACILITY); + log_open = 1; + } + @@ -216,7 +71,7 @@ http://svn.apache.org/viewvc?view=revision&revision=1341930 time_t timevar; struct tm *lt; -@@ -263,7 +285,7 @@ int main(int argc, char *argv[]) +@@ -263,7 +293,7 @@ */ uid = getuid(); if ((pw = getpwuid(uid)) == NULL) { @@ -225,7 +80,7 @@ http://svn.apache.org/viewvc?view=revision&revision=1341930 exit(102); } /* -@@ -289,7 +311,9 @@ int main(int argc, char *argv[]) +@@ -289,7 +319,9 @@ #ifdef AP_HTTPD_USER fprintf(stderr, " -D AP_HTTPD_USER=\"%s\"\n", AP_HTTPD_USER); #endif @@ -236,7 +91,7 @@ http://svn.apache.org/viewvc?view=revision&revision=1341930 fprintf(stderr, " -D AP_LOG_EXEC=\"%s\"\n", AP_LOG_EXEC); #endif #ifdef AP_SAFE_PATH -@@ -440,7 +464,7 @@ int main(int argc, char *argv[]) +@@ -440,7 +472,7 @@ * a UID less than AP_UID_MIN. Tsk tsk. */ if ((uid == 0) || (uid < AP_UID_MIN)) { @@ -245,7 +100,7 @@ http://svn.apache.org/viewvc?view=revision&revision=1341930 exit(107); } -@@ -449,7 +473,7 @@ int main(int argc, char *argv[]) +@@ -449,7 +481,7 @@ * or as a GID less than AP_GID_MIN. Tsk tsk. */ if ((gid == 0) || (gid < AP_GID_MIN)) { @@ -254,7 +109,7 @@ http://svn.apache.org/viewvc?view=revision&revision=1341930 exit(108); } -@@ -460,7 +484,7 @@ int main(int argc, char *argv[]) +@@ -460,7 +492,7 @@ * and setgid() to the target group. If unsuccessful, error out. */ if (((setgid(gid)) != 0) || (initgroups(actual_uname, gid) != 0)) { @@ -263,7 +118,7 @@ http://svn.apache.org/viewvc?view=revision&revision=1341930 exit(109); } -@@ -468,7 +492,7 @@ int main(int argc, char *argv[]) +@@ -468,7 +500,7 @@ * setuid() to the target user. Error out on fail. */ if ((setuid(uid)) != 0) { @@ -272,7 +127,7 @@ http://svn.apache.org/viewvc?view=revision&revision=1341930 exit(110); } -@@ -556,11 +580,11 @@ int main(int argc, char *argv[]) +@@ -556,11 +588,11 @@ (gid != dir_info.st_gid) || (uid != prg_info.st_uid) || (gid != prg_info.st_gid)) { @@ -289,7 +144,7 @@ http://svn.apache.org/viewvc?view=revision&revision=1341930 exit(120); } /* -@@ -585,6 +609,12 @@ int main(int argc, char *argv[]) +@@ -585,6 +617,12 @@ #endif /* AP_SUEXEC_UMASK */ /* Be sure to close the log file so the CGI can't mess with it. */ @@ -302,7 +157,7 @@ http://svn.apache.org/viewvc?view=revision&revision=1341930 if (log != NULL) { #if APR_HAVE_FCNTL_H /* -@@ -606,6 +636,7 @@ int main(int argc, char *argv[]) +@@ -606,6 +644,7 @@ log = NULL; #endif } @@ -310,3 +165,175 @@ http://svn.apache.org/viewvc?view=revision&revision=1341930 /* * Execute the command, replacing our image with its own. +--- httpd-2.4.2/CHANGES ++++ httpd-2.4.2/CHANGES +@@ -1,6 +1,14 @@ + -*- coding: utf-8 -*- + Changes with Apache 2.5.0 + ++ *) suexec: Add --enable-suexec-capabilites support on Linux, to use ++ setuid/setgid capability bits rather than a setuid root binary. ++ [Joe Orton] ++ ++ *) suexec: Add support for logging to syslog as an alternative to ++ logging to a file; use --without-suexec-logfile --with-suexec-syslog. ++ [Joe Orton] ++ + *) mod_proxy_ajp: Reduce memory usage in case of many keep-alive requests on + one connection. PR 52275. [Naohiro Ooiwa <naohiro ooiwa miraclelinux com>] + +--- httpd-2.4.2/configure.in ++++ httpd-2.4.2/configure.in +@@ -703,7 +703,24 @@ + + AC_ARG_WITH(suexec-logfile, + APACHE_HELP_STRING(--with-suexec-logfile,Set the logfile),[ +- AC_DEFINE_UNQUOTED(AP_LOG_EXEC, "$withval", [SuExec log file] ) ] ) ++ if test "x$withval" = "xyes"; then ++ AC_DEFINE_UNQUOTED(AP_LOG_EXEC, "$withval", [SuExec log file]) ++ fi ++]) ++ ++AC_ARG_WITH(suexec-syslog, ++APACHE_HELP_STRING(--with-suexec-syslog,Set the logfile),[ ++ if test $withval = "yes"; then ++ if test "x${with_suexec_logfile}" != "xno"; then ++ AC_MSG_NOTICE([hint: use "--without-suexec-logfile --with-suexec-syslog"]) ++ AC_MSG_ERROR([suexec does not support both logging to file and syslog]) ++ fi ++ AC_CHECK_FUNCS([vsyslog], [], [ ++ AC_MSG_ERROR([cannot support syslog from suexec without vsyslog()])]) ++ AC_DEFINE(AP_LOG_SYSLOG, 1, [SuExec log to syslog]) ++ fi ++]) ++ + + AC_ARG_WITH(suexec-safepath, + APACHE_HELP_STRING(--with-suexec-safepath,Set the safepath),[ +@@ -721,6 +738,15 @@ + APACHE_HELP_STRING(--with-suexec-umask,umask for suexec'd process),[ + AC_DEFINE_UNQUOTED(AP_SUEXEC_UMASK, 0$withval, [umask for suexec'd process] ) ] ) + ++INSTALL_SUEXEC=setuid ++AC_ARG_ENABLE([suexec-capabilities], ++APACHE_HELP_STRING(--enable-suexec-capabilities,Use Linux capability bits not setuid root suexec), [ ++INSTALL_SUEXEC=caps ++AC_DEFINE(AP_SUEXEC_CAPABILITIES, 1, ++ [Enable if suexec is installed with Linux capabilities, not setuid]) ++]) ++APACHE_SUBST(INSTALL_SUEXEC) ++ + dnl APR should go after the other libs, so the right symbols can be picked up + if test x${apu_found} != xobsolete; then + AP_LIBS="$AP_LIBS `$apu_config --avoid-ldap --link-libtool --libs`" +--- httpd-2.4.2/Makefile.in ++++ httpd-2.4.2/Makefile.in +@@ -233,13 +233,24 @@ + cd $(DESTDIR)$(manualdir) && find . -name ".svn" -type d -print | xargs rm -rf 2>/dev/null || true; \ + fi + +-install-suexec: ++install-suexec: install-suexec-binary install-suexec-$(INSTALL_SUEXEC) ++ ++install-suexec-binary: + @if test -f $(builddir)/support/suexec; then \ + test -d $(DESTDIR)$(sbindir) || $(MKINSTALLDIRS) $(DESTDIR)$(sbindir); \ + $(INSTALL_PROGRAM) $(top_builddir)/support/suexec $(DESTDIR)$(sbindir); \ +- chmod 4755 $(DESTDIR)$(sbindir)/suexec; \ + fi + ++install-suexec-setuid: ++ @if test -f $(builddir)/support/suexec; then \ ++ chmod 4755 $(DESTDIR)$(sbindir)/suexec; \ ++ fi ++ ++install-suexec-caps: ++ @if test -f $(builddir)/support/suexec; then \ ++ setcap 'cap_setuid,cap_setgid+pe' $(DESTDIR)$(sbindir)/suexec; \ ++ fi ++ + suexec: + cd support && $(MAKE) suexec + +--- httpd-2.4.2/docs/manual/suexec.html.en ++++ httpd-2.4.2/docs/manual/suexec.html.en +@@ -372,6 +372,21 @@ + together with the <code>--enable-suexec</code> option to let + APACI accept your request for using the suEXEC feature.</dd> + ++ <dt><code>--enable-suexec-capabilities</code></dt> ++ ++ <dd><strong>Linux specific:</strong> Normally, ++ the <code>suexec</code> binary is installed "setuid/setgid ++ root", which allows it to run with the full privileges of the ++ root user. If this option is used, the <code>suexec</code> ++ binary will instead be installed with only the setuid/setgid ++ "capability" bits set, which is the subset of full root ++ priviliges required for suexec operation. Note that ++ the <code>suexec</code> binary may not be able to write to a log ++ file in this mode; it is recommended that the ++ <code>--with-suexec-syslog --without-suexec-logfile</code> ++ options are used in conjunction with this mode, so that syslog ++ logging is used instead.</dd> ++ + <dt><code>--with-suexec-bin=<em>PATH</em></code></dt> + + <dd>The path to the <code>suexec</code> binary must be hard-coded +@@ -418,6 +433,12 @@ + "<code>suexec_log</code>" and located in your standard logfile + directory (<code>--logfiledir</code>).</dd> + ++ <dt><code>--with-suexec-syslog</code></dt> ++ ++ <dd>If defined, suexec will log notices and errors to syslog ++ instead of a logfile. This option must be combined ++ with <code>--without-suexec-logfile</code>.</dd> ++ + <dt><code>--with-suexec-safepath=<em>PATH</em></code></dt> + + <dd>Define a safe PATH environment to pass to CGI +@@ -535,9 +556,12 @@ + + <p>The suEXEC wrapper will write log information + to the file defined with the <code>--with-suexec-logfile</code> +- option as indicated above. If you feel you have configured and +- installed the wrapper properly, have a look at this log and the +- error_log for the server to see where you may have gone astray.</p> ++ option as indicated above, or to syslog if <code>--with-suexec-syslog</code> ++ is used. If you feel you have configured and ++ installed the wrapper properly, have a look at the log and the ++ error_log for the server to see where you may have gone astray. ++ The output of <code>"suexec -V"</code> will show the options ++ used to compile suexec, if using a binary distribution.</p> + + </div><div class="top"><a href="#page-header"><img alt="top" src="./images/up.gif" /></a></div> + <div class="section"> +@@ -629 +653 @@ +-</body></html> +\ No newline at end of file ++</body></html> +--- httpd-2.4.2/modules/arch/unix/mod_unixd.c ++++ httpd-2.4.2/modules/arch/unix/mod_unixd.c +@@ -284,6 +284,13 @@ + return NULL; + } + ++#ifdef AP_SUEXEC_CAPABILITIES ++/* If suexec is using capabilities, don't test for the setuid bit. */ ++#define SETUID_TEST(finfo) (1) ++#else ++#define SETUID_TEST(finfo) (finfo.protection & APR_USETID) ++#endif ++ + static int + unixd_pre_config(apr_pool_t *pconf, apr_pool_t *plog, + apr_pool_t *ptemp) +@@ -300,7 +307,7 @@ + ap_unixd_config.suexec_enabled = 0; + if ((apr_stat(&wrapper, SUEXEC_BIN, APR_FINFO_NORM, ptemp)) + == APR_SUCCESS) { +- if ((wrapper.protection & APR_USETID) && wrapper.user == 0 ++ if (SETUID_TEST(wrapper) && wrapper.user == 0 + && (access(SUEXEC_BIN, R_OK|X_OK) == 0)) { + ap_unixd_config.suexec_enabled = 1; + ap_unixd_config.suexec_disabled_reason = ""; @@ -8,7 +8,7 @@ Summary: Apache HTTP Server Name: httpd Version: 2.4.2 -Release: 11%{?dist} +Release: 12%{?dist} URL: http://httpd.apache.org/ Source0: http://www.apache.org/dist/httpd/httpd-%{version}.tar.bz2 Source1: index.html @@ -565,6 +565,9 @@ rm -rf $RPM_BUILD_ROOT %{_sysconfdir}/rpm/macros.httpd %changelog +* Thu May 31 2012 Joe Orton <jorton@redhat.com> - 2.4.2-12 +- update suexec patch to use LOG_AUTHPRIV facility + * Thu May 24 2012 Joe Orton <jorton@redhat.com> - 2.4.2-11 - really fix autoindex.conf (thanks to remi@) |