diff options
| author | Jan Kaluza <hanzz.k@gmail.com> | 2011-07-20 08:53:17 +0200 |
|---|---|---|
| committer | Jan Kaluza <hanzz.k@gmail.com> | 2011-07-20 08:53:17 +0200 |
| commit | a1caf8d2f64f50c4bfc562f9ffd35ac762ce987e (patch) | |
| tree | 92f9db5f82184107c190ca44ec29a2356653e757 | |
| parent | 39b84c685337234fbf72e2619ac3cd725e9108c0 (diff) | |
| download | httpd-a1caf8d2f64f50c4bfc562f9ffd35ac762ce987e.tar.gz httpd-a1caf8d2f64f50c4bfc562f9ffd35ac762ce987e.tar.xz httpd-a1caf8d2f64f50c4bfc562f9ffd35ac762ce987e.zip | |
fix #716621 - suexec now works without setuid bit
| -rw-r--r-- | httpd-2.2.9-suenable.patch | 17 | ||||
| -rw-r--r-- | httpd.spec | 8 |
2 files changed, 18 insertions, 7 deletions
diff --git a/httpd-2.2.9-suenable.patch b/httpd-2.2.9-suenable.patch index a449237..9e9f70f 100644 --- a/httpd-2.2.9-suenable.patch +++ b/httpd-2.2.9-suenable.patch @@ -1,13 +1,20 @@ +Removes setuid check because we are now using capabilities to ensure proper +suexec rights. -Upstream-Status: in trunk, differently +Upstream-status: Not acceptable for upstream in current status. +suexec_enabled part is in trunk,differently ---- httpd-2.2.9/os/unix/unixd.c.suenable -+++ httpd-2.2.9/os/unix/unixd.c -@@ -215,7 +215,7 @@ AP_DECLARE(void) unixd_pre_config(apr_po +diff --git a/os/unix/unixd.c b/os/unix/unixd.c +index 85d5a98..1ee1dfe 100644 +--- a/os/unix/unixd.c ++++ b/os/unix/unixd.c +@@ -271,8 +271,8 @@ AP_DECLARE(void) unixd_pre_config(apr_pool_t *ptemp) + return; } - if ((wrapper.protection & APR_USETID) && wrapper.user == 0) { +- if ((wrapper.protection & APR_USETID) && wrapper.user == 0) { - unixd_config.suexec_enabled = 1; ++ if (wrapper.user == 0) { + unixd_config.suexec_enabled = access(SUEXEC_BIN, R_OK|X_OK) == 0; } } @@ -8,7 +8,7 @@ Summary: Apache HTTP Server Name: httpd Version: 2.2.19 -Release: 2%{?dist} +Release: 3%{?dist} URL: http://httpd.apache.org/ Source0: http://www.apache.org/dist/httpd/httpd-%{version}.tar.gz Source1: index.html @@ -452,7 +452,8 @@ rm -rf $RPM_BUILD_ROOT %{_sbindir}/ht* %{_sbindir}/apachectl %{_sbindir}/rotatelogs -%caps(cap_setuid,cap_setgid+pe) %attr(510,root,%{suexec_caller}) %{_sbindir}/suexec +# cap_dac_override needed to write to /var/log/httpd +%caps(cap_setuid,cap_setgid,cap_dac_override+pe) %attr(510,root,%{suexec_caller}) %{_sbindir}/suexec %dir %{_libdir}/httpd %dir %{_libdir}/httpd/modules @@ -511,6 +512,9 @@ rm -rf $RPM_BUILD_ROOT %{_libdir}/httpd/build/*.sh %changelog +* Wed Jul 20 2011 Jan Kaluza <jkaluza@redhat.com> - 2.2.19-3 +- fix #716621 - suexec now works without setuid bit + * Thu Jul 14 2011 Jan Kaluza <jkaluza@redhat.com> - 2.2.19-2 - fix #689091 - backported patch from 2.3 branch to support IPv6 in logresolve |