[httpd] update suexec patch to use LOG_AUTHPRIV facility
jorton
jorton at fedoraproject.org
Thu May 31 13:31:04 UTC 2012
commit 969baf89f0c3a2b780ea1665d5ba9bed30854084
Author: Joe Orton <jorton at redhat.com>
Date: Thu May 31 14:30:39 2012 +0100
update suexec patch to use LOG_AUTHPRIV facility
httpd-2.4.2-r1337344+.patch | 365 +++++++++++++++++++++++--------------------
httpd.spec | 5 +-
2 files changed, 200 insertions(+), 170 deletions(-)
---
diff --git a/httpd-2.4.2-r1337344+.patch b/httpd-2.4.2-r1337344+.patch
index d569dbf..df277dd 100644
--- a/httpd-2.4.2-r1337344+.patch
+++ b/httpd-2.4.2-r1337344+.patch
@@ -1,3 +1,4 @@
+# ./pullrev.sh 1337344 1341905 1342065 1341930 1344712
suexec enhancements:
@@ -9,163 +10,9 @@ http://svn.apache.org/viewvc?view=revision&revision=1341905
http://svn.apache.org/viewvc?view=revision&revision=1342065
http://svn.apache.org/viewvc?view=revision&revision=1341930
---- httpd-2.4.2/configure.in.r1337344+
-+++ httpd-2.4.2/configure.in
-@@ -700,7 +700,24 @@ APACHE_HELP_STRING(--with-suexec-gidmin,
-
- AC_ARG_WITH(suexec-logfile,
- APACHE_HELP_STRING(--with-suexec-logfile,Set the logfile),[
-- AC_DEFINE_UNQUOTED(AP_LOG_EXEC, "$withval", [SuExec log file] ) ] )
-+ if test "x$withval" = "xyes"; then
-+ AC_DEFINE_UNQUOTED(AP_LOG_EXEC, "$withval", [SuExec log file])
-+ fi
-+])
-+
-+AC_ARG_WITH(suexec-syslog,
-+APACHE_HELP_STRING(--with-suexec-syslog,Set the logfile),[
-+ if test $withval = "yes"; then
-+ if test "x${with_suexec_logfile}" != "xno"; then
-+ AC_MSG_NOTICE([hint: use "--without-suexec-logfile --with-suexec-syslog"])
-+ AC_MSG_ERROR([suexec does not support both logging to file and syslog])
-+ fi
-+ AC_CHECK_FUNCS([vsyslog], [], [
-+ AC_MSG_ERROR([cannot support syslog from suexec without vsyslog()])])
-+ AC_DEFINE(AP_LOG_SYSLOG, 1, [SuExec log to syslog])
-+ fi
-+])
-+
-
- AC_ARG_WITH(suexec-safepath,
- APACHE_HELP_STRING(--with-suexec-safepath,Set the safepath),[
-@@ -710,6 +727,15 @@ AC_ARG_WITH(suexec-umask,
- APACHE_HELP_STRING(--with-suexec-umask,umask for suexec'd process),[
- AC_DEFINE_UNQUOTED(AP_SUEXEC_UMASK, 0$withval, [umask for suexec'd process] ) ] )
-
-+INSTALL_SUEXEC=setuid
-+AC_ARG_ENABLE([suexec-capabilities],
-+APACHE_HELP_STRING(--enable-suexec-capabilities,Use Linux capability bits not setuid root suexec), [
-+INSTALL_SUEXEC=caps
-+AC_DEFINE(AP_SUEXEC_CAPABILITIES, 1,
-+ [Enable if suexec is installed with Linux capabilities, not setuid])
-+])
-+APACHE_SUBST(INSTALL_SUEXEC)
-+
- dnl APR should go after the other libs, so the right symbols can be picked up
- if test x${apu_found} != xobsolete; then
- AP_LIBS="$AP_LIBS `$apu_config --avoid-ldap --link-libtool`"
---- httpd-2.4.2/docs/manual/suexec.html.en.r1337344+
-+++ httpd-2.4.2/docs/manual/suexec.html.en
-@@ -369,6 +369,21 @@
- together with the <code>--enable-suexec</code> option to let
- APACI accept your request for using the suEXEC feature.</dd>
-
-+ <dt><code>--enable-suexec-capabilities</code></dt>
-+
-+ <dd><strong>Linux specific:</strong> Normally,
-+ the <code>suexec</code> binary is installed "setuid/setgid
-+ root", which allows it to run with the full privileges of the
-+ root user. If this option is used, the <code>suexec</code>
-+ binary will instead be installed with only the setuid/setgid
-+ "capability" bits set, which is the subset of full root
-+ priviliges required for suexec operation. Note that
-+ the <code>suexec</code> binary may not be able to write to a log
-+ file in this mode; it is recommended that the
-+ <code>--with-suexec-syslog --without-suexec-logfile</code>
-+ options are used in conjunction with this mode, so that syslog
-+ logging is used instead.</dd>
-+
- <dt><code>--with-suexec-bin=<em>PATH</em></code></dt>
-
- <dd>The path to the <code>suexec</code> binary must be hard-coded
-@@ -430,6 +445,12 @@
- "<code>suexec_log</code>" and located in your standard logfile
- directory (<code>--logfiledir</code>).</dd>
-
-+ <dt><code>--with-suexec-syslog</code></dt>
-+
-+ <dd>If defined, suexec will log notices and errors to syslog
-+ instead of a logfile. This option must be combined
-+ with <code>--without-suexec-logfile</code>.</dd>
-+
- <dt><code>--with-suexec-safepath=<em>PATH</em></code></dt>
-
- <dd>Define a safe PATH environment to pass to CGI
-@@ -546,9 +567,12 @@
-
- <p>The suEXEC wrapper will write log information
- to the file defined with the <code>--with-suexec-logfile</code>
-- option as indicated above. If you feel you have configured and
-- installed the wrapper properly, have a look at this log and the
-- error_log for the server to see where you may have gone astray.</p>
-+ option as indicated above, or to syslog if <code>--with-suexec-syslog</code>
-+ is used. If you feel you have configured and
-+ installed the wrapper properly, have a look at the log and the
-+ error_log for the server to see where you may have gone astray.
-+ The output of <code>"suexec -V"</code> will show the options
-+ used to compile suexec, if using a binary distribution.</p>
-
- </div><div class="top"><a href="#page-header"><img alt="top" src="./images/up.gif" /></a></div>
- <div class="section">
-@@ -615,4 +639,4 @@
- </div><div id="footer">
- <p class="apache">Copyright 2012 The Apache Software Foundation.<br />Licensed under the <a href="http://www.apache.org/licenses/LICENSE-2.0">Apache License, Version 2.0</a>.</p>
- <p class="menu"><a href="./mod/">Modules</a> | <a href="./mod/directives.html">Directives</a> | <a href="./faq/">FAQ</a> | <a href="./glossary.html">Glossary</a> | <a href="./sitemap.html">Sitemap</a></p></div>
--</body></html>
-\ No newline at end of file
-+</body></html>
---- httpd-2.4.2/Makefile.in.r1337344+
-+++ httpd-2.4.2/Makefile.in
-@@ -236,11 +236,22 @@ install-man:
- cd $(DESTDIR)$(manualdir) && find . -name ".svn" -type d -print | xargs rm -rf 2>/dev/null || true; \
- fi
-
--install-suexec:
-+install-suexec: install-suexec-binary install-suexec-$(INSTALL_SUEXEC)
-+
-+install-suexec-binary:
- @if test -f $(builddir)/support/suexec; then \
- test -d $(DESTDIR)$(sbindir) || $(MKINSTALLDIRS) $(DESTDIR)$(sbindir); \
- $(INSTALL_PROGRAM) $(top_builddir)/support/suexec $(DESTDIR)$(sbindir); \
-- chmod 4755 $(DESTDIR)$(sbindir)/suexec; \
-+ fi
-+
-+install-suexec-setuid:
-+ @if test -f $(builddir)/support/suexec; then \
-+ chmod 4755 $(DESTDIR)$(sbindir)/suexec; \
-+ fi
-+
-+install-suexec-caps:
-+ @if test -f $(builddir)/support/suexec; then \
-+ setcap 'cap_setuid,cap_setgid+pe' $(DESTDIR)$(sbindir)/suexec; \
- fi
-
- suexec:
---- httpd-2.4.2/modules/arch/unix/mod_unixd.c.r1337344+
-+++ httpd-2.4.2/modules/arch/unix/mod_unixd.c
-@@ -284,6 +284,13 @@ unixd_set_suexec(cmd_parms *cmd, void *d
- return NULL;
- }
-
-+#ifdef AP_SUEXEC_CAPABILITIES
-+/* If suexec is using capabilities, don't test for the setuid bit. */
-+#define SETUID_TEST(finfo) (1)
-+#else
-+#define SETUID_TEST(finfo) (finfo.protection & APR_USETID)
-+#endif
-+
- static int
- unixd_pre_config(apr_pool_t *pconf, apr_pool_t *plog,
- apr_pool_t *ptemp)
-@@ -300,7 +307,7 @@ unixd_pre_config(apr_pool_t *pconf, apr_
- ap_unixd_config.suexec_enabled = 0;
- if ((apr_stat(&wrapper, SUEXEC_BIN, APR_FINFO_NORM, ptemp))
- == APR_SUCCESS) {
-- if ((wrapper.protection & APR_USETID) && wrapper.user == 0
-+ if (SETUID_TEST(wrapper) && wrapper.user == 0
- && (access(SUEXEC_BIN, R_OK|X_OK) == 0)) {
- ap_unixd_config.suexec_enabled = 1;
- ap_unixd_config.suexec_disabled_reason = "";
---- httpd-2.4.2/support/suexec.c.r1337344+
+http://svn.apache.org/viewvc?view=revision&revision=1344712
+
+--- httpd-2.4.2/support/suexec.c
+++ httpd-2.4.2/support/suexec.c
@@ -58,6 +58,10 @@
#include <grp.h>
@@ -178,20 +25,28 @@ http://svn.apache.org/viewvc?view=revision&revision=1341930
#if defined(PATH_MAX)
#define AP_MAXPATH PATH_MAX
#elif defined(MAXPATHLEN)
-@@ -69,7 +73,12 @@
+@@ -69,7 +73,20 @@
#define AP_ENVBUF 256
extern char **environ;
+
+#ifdef AP_LOG_SYSLOG
++/* Syslog support. */
++#if !defined(AP_LOG_FACILITY) && defined(LOG_AUTHPRIV)
++#define AP_LOG_FACILITY LOG_AUTHPRIV
++#elif !defined(AP_LOG_FACILITY)
++#define AP_LOG_FACILITY LOG_AUTH
++#endif
++
+static int log_open;
+#else
++/* Non-syslog support. */
static FILE *log = NULL;
+#endif
static const char *const safe_env_lst[] =
{
-@@ -128,10 +137,23 @@ static const char *const safe_env_lst[]
+@@ -128,10 +145,23 @@
NULL
};
@@ -207,7 +62,7 @@ http://svn.apache.org/viewvc?view=revision&revision=1341930
-#ifdef AP_LOG_EXEC
+#if defined(AP_LOG_SYSLOG)
+ if (!log_open) {
-+ openlog("suexec", LOG_PID, LOG_DAEMON);
++ openlog("suexec", LOG_PID, AP_LOG_FACILITY);
+ log_open = 1;
+ }
+
@@ -216,7 +71,7 @@ http://svn.apache.org/viewvc?view=revision&revision=1341930
time_t timevar;
struct tm *lt;
-@@ -263,7 +285,7 @@ int main(int argc, char *argv[])
+@@ -263,7 +293,7 @@
*/
uid = getuid();
if ((pw = getpwuid(uid)) == NULL) {
@@ -225,7 +80,7 @@ http://svn.apache.org/viewvc?view=revision&revision=1341930
exit(102);
}
/*
-@@ -289,7 +311,9 @@ int main(int argc, char *argv[])
+@@ -289,7 +319,9 @@
#ifdef AP_HTTPD_USER
fprintf(stderr, " -D AP_HTTPD_USER=\"%s\"\n", AP_HTTPD_USER);
#endif
@@ -236,7 +91,7 @@ http://svn.apache.org/viewvc?view=revision&revision=1341930
fprintf(stderr, " -D AP_LOG_EXEC=\"%s\"\n", AP_LOG_EXEC);
#endif
#ifdef AP_SAFE_PATH
-@@ -440,7 +464,7 @@ int main(int argc, char *argv[])
+@@ -440,7 +472,7 @@
* a UID less than AP_UID_MIN. Tsk tsk.
*/
if ((uid == 0) || (uid < AP_UID_MIN)) {
@@ -245,7 +100,7 @@ http://svn.apache.org/viewvc?view=revision&revision=1341930
exit(107);
}
-@@ -449,7 +473,7 @@ int main(int argc, char *argv[])
+@@ -449,7 +481,7 @@
* or as a GID less than AP_GID_MIN. Tsk tsk.
*/
if ((gid == 0) || (gid < AP_GID_MIN)) {
@@ -254,7 +109,7 @@ http://svn.apache.org/viewvc?view=revision&revision=1341930
exit(108);
}
-@@ -460,7 +484,7 @@ int main(int argc, char *argv[])
+@@ -460,7 +492,7 @@
* and setgid() to the target group. If unsuccessful, error out.
*/
if (((setgid(gid)) != 0) || (initgroups(actual_uname, gid) != 0)) {
@@ -263,7 +118,7 @@ http://svn.apache.org/viewvc?view=revision&revision=1341930
exit(109);
}
-@@ -468,7 +492,7 @@ int main(int argc, char *argv[])
+@@ -468,7 +500,7 @@
* setuid() to the target user. Error out on fail.
*/
if ((setuid(uid)) != 0) {
@@ -272,7 +127,7 @@ http://svn.apache.org/viewvc?view=revision&revision=1341930
exit(110);
}
-@@ -556,11 +580,11 @@ int main(int argc, char *argv[])
+@@ -556,11 +588,11 @@
(gid != dir_info.st_gid) ||
(uid != prg_info.st_uid) ||
(gid != prg_info.st_gid)) {
@@ -289,7 +144,7 @@ http://svn.apache.org/viewvc?view=revision&revision=1341930
exit(120);
}
/*
-@@ -585,6 +609,12 @@ int main(int argc, char *argv[])
+@@ -585,6 +617,12 @@
#endif /* AP_SUEXEC_UMASK */
/* Be sure to close the log file so the CGI can't mess with it. */
@@ -302,7 +157,7 @@ http://svn.apache.org/viewvc?view=revision&revision=1341930
if (log != NULL) {
#if APR_HAVE_FCNTL_H
/*
-@@ -606,6 +636,7 @@ int main(int argc, char *argv[])
+@@ -606,6 +644,7 @@
log = NULL;
#endif
}
@@ -310,3 +165,175 @@ http://svn.apache.org/viewvc?view=revision&revision=1341930
/*
* Execute the command, replacing our image with its own.
+--- httpd-2.4.2/CHANGES
++++ httpd-2.4.2/CHANGES
+@@ -1,6 +1,14 @@
+ -*- coding: utf-8 -*-
+ Changes with Apache 2.5.0
+
++ *) suexec: Add --enable-suexec-capabilites support on Linux, to use
++ setuid/setgid capability bits rather than a setuid root binary.
++ [Joe Orton]
++
++ *) suexec: Add support for logging to syslog as an alternative to
++ logging to a file; use --without-suexec-logfile --with-suexec-syslog.
++ [Joe Orton]
++
+ *) mod_proxy_ajp: Reduce memory usage in case of many keep-alive requests on
+ one connection. PR 52275. [Naohiro Ooiwa <naohiro ooiwa miraclelinux com>]
+
+--- httpd-2.4.2/configure.in
++++ httpd-2.4.2/configure.in
+@@ -703,7 +703,24 @@
+
+ AC_ARG_WITH(suexec-logfile,
+ APACHE_HELP_STRING(--with-suexec-logfile,Set the logfile),[
+- AC_DEFINE_UNQUOTED(AP_LOG_EXEC, "$withval", [SuExec log file] ) ] )
++ if test "x$withval" = "xyes"; then
++ AC_DEFINE_UNQUOTED(AP_LOG_EXEC, "$withval", [SuExec log file])
++ fi
++])
++
++AC_ARG_WITH(suexec-syslog,
++APACHE_HELP_STRING(--with-suexec-syslog,Set the logfile),[
++ if test $withval = "yes"; then
++ if test "x${with_suexec_logfile}" != "xno"; then
++ AC_MSG_NOTICE([hint: use "--without-suexec-logfile --with-suexec-syslog"])
++ AC_MSG_ERROR([suexec does not support both logging to file and syslog])
++ fi
++ AC_CHECK_FUNCS([vsyslog], [], [
++ AC_MSG_ERROR([cannot support syslog from suexec without vsyslog()])])
++ AC_DEFINE(AP_LOG_SYSLOG, 1, [SuExec log to syslog])
++ fi
++])
++
+
+ AC_ARG_WITH(suexec-safepath,
+ APACHE_HELP_STRING(--with-suexec-safepath,Set the safepath),[
+@@ -721,6 +738,15 @@
+ APACHE_HELP_STRING(--with-suexec-umask,umask for suexec'd process),[
+ AC_DEFINE_UNQUOTED(AP_SUEXEC_UMASK, 0$withval, [umask for suexec'd process] ) ] )
+
++INSTALL_SUEXEC=setuid
++AC_ARG_ENABLE([suexec-capabilities],
++APACHE_HELP_STRING(--enable-suexec-capabilities,Use Linux capability bits not setuid root suexec), [
++INSTALL_SUEXEC=caps
++AC_DEFINE(AP_SUEXEC_CAPABILITIES, 1,
++ [Enable if suexec is installed with Linux capabilities, not setuid])
++])
++APACHE_SUBST(INSTALL_SUEXEC)
++
+ dnl APR should go after the other libs, so the right symbols can be picked up
+ if test x${apu_found} != xobsolete; then
+ AP_LIBS="$AP_LIBS `$apu_config --avoid-ldap --link-libtool --libs`"
+--- httpd-2.4.2/Makefile.in
++++ httpd-2.4.2/Makefile.in
+@@ -233,13 +233,24 @@
+ cd $(DESTDIR)$(manualdir) && find . -name ".svn" -type d -print | xargs rm -rf 2>/dev/null || true; \
+ fi
+
+-install-suexec:
++install-suexec: install-suexec-binary install-suexec-$(INSTALL_SUEXEC)
++
++install-suexec-binary:
+ @if test -f $(builddir)/support/suexec; then \
+ test -d $(DESTDIR)$(sbindir) || $(MKINSTALLDIRS) $(DESTDIR)$(sbindir); \
+ $(INSTALL_PROGRAM) $(top_builddir)/support/suexec $(DESTDIR)$(sbindir); \
+- chmod 4755 $(DESTDIR)$(sbindir)/suexec; \
+ fi
+
++install-suexec-setuid:
++ @if test -f $(builddir)/support/suexec; then \
++ chmod 4755 $(DESTDIR)$(sbindir)/suexec; \
++ fi
++
++install-suexec-caps:
++ @if test -f $(builddir)/support/suexec; then \
++ setcap 'cap_setuid,cap_setgid+pe' $(DESTDIR)$(sbindir)/suexec; \
++ fi
++
+ suexec:
+ cd support && $(MAKE) suexec
+
+--- httpd-2.4.2/docs/manual/suexec.html.en
++++ httpd-2.4.2/docs/manual/suexec.html.en
+@@ -372,6 +372,21 @@
+ together with the <code>--enable-suexec</code> option to let
+ APACI accept your request for using the suEXEC feature.</dd>
+
++ <dt><code>--enable-suexec-capabilities</code></dt>
++
++ <dd><strong>Linux specific:</strong> Normally,
++ the <code>suexec</code> binary is installed "setuid/setgid
++ root", which allows it to run with the full privileges of the
++ root user. If this option is used, the <code>suexec</code>
++ binary will instead be installed with only the setuid/setgid
++ "capability" bits set, which is the subset of full root
++ priviliges required for suexec operation. Note that
++ the <code>suexec</code> binary may not be able to write to a log
++ file in this mode; it is recommended that the
++ <code>--with-suexec-syslog --without-suexec-logfile</code>
++ options are used in conjunction with this mode, so that syslog
++ logging is used instead.</dd>
++
+ <dt><code>--with-suexec-bin=<em>PATH</em></code></dt>
+
+ <dd>The path to the <code>suexec</code> binary must be hard-coded
+@@ -418,6 +433,12 @@
+ "<code>suexec_log</code>" and located in your standard logfile
+ directory (<code>--logfiledir</code>).</dd>
+
++ <dt><code>--with-suexec-syslog</code></dt>
++
++ <dd>If defined, suexec will log notices and errors to syslog
++ instead of a logfile. This option must be combined
++ with <code>--without-suexec-logfile</code>.</dd>
++
+ <dt><code>--with-suexec-safepath=<em>PATH</em></code></dt>
+
+ <dd>Define a safe PATH environment to pass to CGI
+@@ -535,9 +556,12 @@
+
+ <p>The suEXEC wrapper will write log information
+ to the file defined with the <code>--with-suexec-logfile</code>
+- option as indicated above. If you feel you have configured and
+- installed the wrapper properly, have a look at this log and the
+- error_log for the server to see where you may have gone astray.</p>
++ option as indicated above, or to syslog if <code>--with-suexec-syslog</code>
++ is used. If you feel you have configured and
++ installed the wrapper properly, have a look at the log and the
++ error_log for the server to see where you may have gone astray.
++ The output of <code>"suexec -V"</code> will show the options
++ used to compile suexec, if using a binary distribution.</p>
+
+ </div><div class="top"><a href="#page-header"><img alt="top" src="./images/up.gif" /></a></div>
+ <div class="section">
+@@ -629 +653 @@
+-</body></html>
+\ No newline at end of file
++</body></html>
+--- httpd-2.4.2/modules/arch/unix/mod_unixd.c
++++ httpd-2.4.2/modules/arch/unix/mod_unixd.c
+@@ -284,6 +284,13 @@
+ return NULL;
+ }
+
++#ifdef AP_SUEXEC_CAPABILITIES
++/* If suexec is using capabilities, don't test for the setuid bit. */
++#define SETUID_TEST(finfo) (1)
++#else
++#define SETUID_TEST(finfo) (finfo.protection & APR_USETID)
++#endif
++
+ static int
+ unixd_pre_config(apr_pool_t *pconf, apr_pool_t *plog,
+ apr_pool_t *ptemp)
+@@ -300,7 +307,7 @@
+ ap_unixd_config.suexec_enabled = 0;
+ if ((apr_stat(&wrapper, SUEXEC_BIN, APR_FINFO_NORM, ptemp))
+ == APR_SUCCESS) {
+- if ((wrapper.protection & APR_USETID) && wrapper.user == 0
++ if (SETUID_TEST(wrapper) && wrapper.user == 0
+ && (access(SUEXEC_BIN, R_OK|X_OK) == 0)) {
+ ap_unixd_config.suexec_enabled = 1;
+ ap_unixd_config.suexec_disabled_reason = "";
diff --git a/httpd.spec b/httpd.spec
index 6125e63..6710fa8 100644
--- a/httpd.spec
+++ b/httpd.spec
@@ -8,7 +8,7 @@
Summary: Apache HTTP Server
Name: httpd
Version: 2.4.2
-Release: 11%{?dist}
+Release: 12%{?dist}
URL: http://httpd.apache.org/
Source0: http://www.apache.org/dist/httpd/httpd-%{version}.tar.bz2
Source1: index.html
@@ -565,6 +565,9 @@ rm -rf $RPM_BUILD_ROOT
%{_sysconfdir}/rpm/macros.httpd
%changelog
+* Thu May 31 2012 Joe Orton <jorton at redhat.com> - 2.4.2-12
+- update suexec patch to use LOG_AUTHPRIV facility
+
* Thu May 24 2012 Joe Orton <jorton at redhat.com> - 2.4.2-11
- really fix autoindex.conf (thanks to remi@)
More information about the scm-commits
mailing list