rpms/mod_suphp/devel README.fedora, NONE, 1.1 mod_suphp-0.6.1-userdir.patch, NONE, 1.1 mod_suphp.conf, NONE, 1.1 sources, 1.3, 1.4
Andreas Thienemann (ixs)
fedora-extras-commits at redhat.com
Mon Feb 6 16:40:00 UTC 2006
- Previous message: rpms/mod_suphp/devel .cvsignore, 1.2, 1.3 mod_suphp.spec, 1.6, 1.7 sources, 1.2, 1.3 suphp.conf, 1.1, 1.2
- Next message: rpms/mod_suphp/devel mod_suphp-0.6.1-AddHandler.patch, NONE, 1.1 .cvsignore, 1.3, 1.4
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
Author: ixs
Update of /cvs/extras/rpms/mod_suphp/devel
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv18567
Modified Files:
sources
Added Files:
README.fedora mod_suphp-0.6.1-userdir.patch mod_suphp.conf
Log Message:
* Mon Feb 06 2006 Andreas Thienemann <andreas at bawue.net> 0.6.1-1
- Updated to 0.6.1
--- NEW FILE README.fedora ---
In order to activate mod_suphp support, /etc/httpd/conf.d/mod_suphp.conf
has to be edited.
The commented line "#AddHandler x-httpd-php .php" has to be uncommented,
for mod_suphp to work.
After a restart of the httpd, php scripts should be executed with the
rights of the user owning them.
In case you do need mod_php support for a certain virtual host or directory,
you can selectively disable mod_suphp and fall back to mod_php:
<Directory "/var/www/html">
suPHP_Engine off
RemoveHandler .php
php_admin_flag engine on
php_admin_flag register_globals on
</Directory>
This should do the trick nicely. The register_globals flag is purely optional
and should be avoided if possibly.
Should you require mod_userdir support, in order to enable ~user URLs, you should set
check_vhost_docroot=false in the /etc/suphp.conf file, as currently suphp would fail
with a incorrect vhost.
mod_suphp-0.6.1-userdir.patch:
--- NEW FILE mod_suphp-0.6.1-userdir.patch ---
>From miles at lubin.us Sat Dec 3 01:21:51 2005
From: miles at lubin.us (Miles Lubin)
Date: Sat Dec 3 01:23:25 2005
Subject: [suPHP] mod_userdir patch for 0.6.1
Message-ID: <4390E51F.3080506 at lubin.us>
Attached is the mod_userdir patch updated to 0.6.1.
The patch allows suphp to correctly handle permissions with user sites,
generated by mod_suphp; instead of using the permissions of the main
site for force and paranoid mode, it will use the permissions of the
correct user.
Changes from 0.6.0 patch:
- handle_userdir is enabled by default, set handle_userdir=false in
/etc/suphp.conf to disable it
- check the length of the url argument in checkUserDir() (a theoretical
security issue, though not exploitable)
- made the code more conforming to the suphp's coding style
Miles Lubin
-------------- next part --------------
diff -ur suphp-0.6.1/doc/CONFIG suphp-0.6.1-userdir/doc/CONFIG
--- suphp-0.6.1/doc/CONFIG 2005-11-26 14:45:49.000000000 -0500
+++ suphp-0.6.1-userdir/doc/CONFIG 2005-12-02 15:07:41.000000000 -0500
@@ -95,6 +95,11 @@
Minimum GID allowed to execute scripts.
Defaults to compile-time value.
+handle_userdir:
+ Handle sites created by mod_userdir.
+ Scripts on userdir sites will be executed with the permissions
+ of the owner of the site. This option only affects force and paranoid mode.
+ This option is enabled by default.
3. Handlers
diff -ur suphp-0.6.1/doc/suphp.conf-example suphp-0.6.1-userdir/doc/suphp.conf-example
--- suphp-0.6.1/doc/suphp.conf-example 2005-11-26 14:45:49.000000000 -0500
+++ suphp-0.6.1-userdir/doc/suphp.conf-example 2005-12-02 15:07:41.000000000 -0500
@@ -38,6 +38,8 @@
; Minimum GID
min_gid=100
+; Use correct permissions for mod_userdir sites
+handle_userdir=true
[handlers]
;Handler for php-scripts
diff -ur suphp-0.6.1/src/Application.cpp suphp-0.6.1-userdir/src/Application.cpp
--- suphp-0.6.1/src/Application.cpp 2005-11-26 14:45:49.000000000 -0500
+++ suphp-0.6.1-userdir/src/Application.cpp 2005-12-02 17:18:27.000000000 -0500
@@ -19,6 +19,7 @@
*/
#include <iostream>
+#include <sstream>
#include "config.h"
@@ -300,29 +301,33 @@
// Paranoid and force mode
#if (defined(OPT_USERGROUP_PARANOID) || defined(OPT_USERGROUP_FORCE))
- std::string targetUsername, targetGroupname;
- try {
- targetUsername = environment.getVar("SUPHP_USER");
- targetGroupname = environment.getVar("SUPHP_GROUP");
- } catch (KeyNotFoundException& e) {
- throw SecurityException(
+ if (config.getHandleUserdir() && checkUserDir(environment.getVar("SUPHP_URI"),targetUser)) {
+ targetGroup = targetUser.getGroupInfo();
+ } else {
+ std::string targetUsername, targetGroupname;
+ try {
+ targetUsername = environment.getVar("SUPHP_USER");
+ targetGroupname = environment.getVar("SUPHP_GROUP");
+ } catch (KeyNotFoundException& e) {
+ throw SecurityException(
"Environment variable SUPHP_USER or SUPHP_GROUP not set",
__FILE__, __LINE__);
- }
+ }
- if (targetUsername[0] == '#' && targetUsername.find_first_not_of(
+ if (targetUsername[0] == '#' && targetUsername.find_first_not_of(
"0123456789", 1) == std::string::npos) {
- targetUser = api.getUserInfo(Util::strToInt(targetUsername.substr(1)));
- } else {
- targetUser = api.getUserInfo(targetUsername);
- }
+ targetUser = api.getUserInfo(Util::strToInt(targetUsername.substr(1)));
+ } else {
+ targetUser = api.getUserInfo(targetUsername);
+ }
- if (targetGroupname[0] == '#' && targetGroupname.find_first_not_of(
+ if (targetGroupname[0] == '#' && targetGroupname.find_first_not_of(
"0123456789", 1) == std::string::npos) {
- targetGroup = api.getGroupInfo(
+ targetGroup = api.getGroupInfo(
Util::strToInt(targetGroupname.substr(1)));
- } else {
- targetGroup = api.getGroupInfo(targetGroupname);
+ } else {
+ targetGroup = api.getGroupInfo(targetGroupname);
+ }
}
#endif // OPT_USERGROUP_PARANOID || OPT_USERGROUP_FORCE
@@ -473,6 +478,28 @@
}
}
+bool suPHP::Application::checkUserDir(const std::string& url, UserInfo& user) const {
+
+ if (url.length() <= 2 || url[1] != '~')
+ return false;
+
+ API& api = API_Helper::getSystemAPI();
+ std::string topDir;
+ std::istringstream strm(url);
+
+ for (int i = 0; i < 2; i++)
+ if (!std::getline(strm, topDir, '/'))
+ return false;
+
+ std::string userName = topDir.substr(1,topDir.length());
+
+ try {
+ user = api.getUserInfo(userName);
+ return true;
+ } catch (LookupException& e) {
+ return false;
+ }
+}
int main(int argc, char **argv) {
try {
diff -ur suphp-0.6.1/src/Application.hpp suphp-0.6.1-userdir/src/Application.hpp
--- suphp-0.6.1/src/Application.hpp 2005-11-26 14:45:49.000000000 -0500
+++ suphp-0.6.1-userdir/src/Application.hpp 2005-12-02 15:07:41.000000000 -0500
@@ -39,6 +39,7 @@
#include "SystemException.hpp"
#include "SoftException.hpp"
#include "SecurityException.hpp"
+#include "UserInfo.hpp"
namespace suPHP {
/**
@@ -107,6 +108,12 @@
const Configuration& config) const
throw (SoftException);
+ /**
+ * Checks if a given URL is a userdir
+ * associated user is assigned to the user parameter
+ */
+ bool checkUserDir(const std::string& url,
+ UserInfo& user) const;
public:
/**
diff -ur suphp-0.6.1/src/Configuration.cpp suphp-0.6.1-userdir/src/Configuration.cpp
--- suphp-0.6.1/src/Configuration.cpp 2005-11-26 14:45:49.000000000 -0500
+++ suphp-0.6.1-userdir/src/Configuration.cpp 2005-12-02 17:22:46.000000000 -0500
@@ -112,6 +112,7 @@
#endif
this->umask = 0077;
this->chroot_path = "";
+ this->handle_userdir = true;
}
void suPHP::Configuration::readFromFile(File& file)
@@ -157,6 +158,8 @@
this->umask = Util::octalStrToInt(value);
else if (key == "chroot")
this->chroot_path = value;
+ else if (key == "handle_userdir")
+ this->handle_userdir = this->strToBool(value);
else
throw ParsingException("Unknown option \"" + key +
"\" in section [global]",
@@ -250,3 +253,7 @@
std::string suPHP::Configuration::getChrootPath() const {
return this->chroot_path;
}
+
+bool suPHP::Configuration::getHandleUserdir() const {
+ return this->handle_userdir;
+}
diff -ur suphp-0.6.1/src/Configuration.hpp suphp-0.6.1-userdir/src/Configuration.hpp
--- suphp-0.6.1/src/Configuration.hpp 2005-11-26 14:45:49.000000000 -0500
+++ suphp-0.6.1-userdir/src/Configuration.hpp 2005-12-02 15:07:41.000000000 -0500
@@ -57,7 +57,8 @@
int min_gid;
int umask;
std::string chroot_path;
-
+ bool handle_userdir;
+
/**
* Converts string to bool
*/
@@ -165,6 +166,12 @@
* Return chroot path
*/
std::string getChrootPath() const;
+
+ /**
+ * Return whether to correctly handle mod_userdir sites
+ */
+ bool getHandleUserdir() const;
+
};
};
diff -ur suphp-0.6.1/src/apache/mod_suphp.c suphp-0.6.1-userdir/src/apache/mod_suphp.c
--- suphp-0.6.1/src/apache/mod_suphp.c 2005-11-26 14:45:49.000000000 -0500
+++ suphp-0.6.1-userdir/src/apache/mod_suphp.c 2005-12-02 15:07:41.000000000 -0500
@@ -444,7 +444,10 @@
}
}
}
-
+
+ /* for mod_userdir checking */
+ apr_table_setn(r->subprocess_env, "SUPHP_URI", apr_pstrdup(p, r->uri));
+
if (auth_user && auth_pass) {
ap_table_setn(r->subprocess_env, "SUPHP_AUTH_USER", auth_user);
ap_table_setn(r->subprocess_env, "SUPHP_AUTH_PW", auth_pass);
diff -ur suphp-0.6.1/src/apache2/mod_suphp.c suphp-0.6.1-userdir/src/apache2/mod_suphp.c
--- suphp-0.6.1/src/apache2/mod_suphp.c 2005-11-26 14:45:49.000000000 -0500
+++ suphp-0.6.1-userdir/src/apache2/mod_suphp.c 2005-12-02 15:07:41.000000000 -0500
@@ -461,6 +461,10 @@
}
}
+ /* for mod_userdir checking */
+ apr_table_setn(r->subprocess_env, "SUPHP_URI",
+ apr_pstrdup(r->pool, r->uri));
+
if (auth_user && auth_pass)
{
apr_table_setn(r->subprocess_env, "SUPHP_AUTH_USER", auth_user);
--- NEW FILE mod_suphp.conf ---
# This is the Apache server configuration file providing suPHP support..
# It contains the configuration directives to instruct the server how to
# serve php pages while switching to the user context before rendering.
# For directives see <URL:http://httpd.apache.org/docs-2.0/mod/mod_suphp.html>
LoadModule suphp_module modules/mod_suphp.so
# Define PHP Types
AddType application/x-httpd-php .php
# To use suPHP to parse PHP-Files
### Uncomment to activate mod_suphp
#AddHandler x-httpd-php .php
# This option tells mod_suphp if a PHP-script requested on this server (or
# VirtualHost) should be run with the PHP-interpreter or returned to the
# browser "as it is".
suPHP_Engine on
suPHP_AddHandler x-httpd-php
# This option tells mod_suphp which path to pass on to the PHP-interpreter
# (by setting the PHPRC environment variable).
# Do *NOT* refer to a file but to the directory the file resists in.
#
# E.g.: If you want to use "/path/to/server/config/php.ini", use "suPHP_Config
# /path/to/server/config".
#
# If you don't use this option, PHP will use its compiled in default path.
#suPHP_ConfigPath /etc
Index: sources
===================================================================
RCS file: /cvs/extras/rpms/mod_suphp/devel/sources,v
retrieving revision 1.3
retrieving revision 1.4
diff -u -r1.3 -r1.4
--- sources 6 Feb 2006 16:36:27 -0000 1.3
+++ sources 6 Feb 2006 16:40:00 -0000 1.4
@@ -1,6 +1 @@
7eb8ae29404392d9eb07c69d5242d716 suphp-0.6.1.tar.gz
-4d95b68cc54bc401ec5b4005baf0ad51 README.fedora
-5252fb24e364451c1ffb0d3e112a61ba mod_suphp-0.6.1-userdir.patch
-33939dd30a5271a7d9daeb2b362dd11e mod_suphp-0.6.1-AddHandler.patch
-b7cbd9c5cea2249625018629b86a2a11 suphp.conf
-2c4c073c47ba34ef72293bdaff693a98 mod_suphp.conf
- Previous message: rpms/mod_suphp/devel .cvsignore, 1.2, 1.3 mod_suphp.spec, 1.6, 1.7 sources, 1.2, 1.3 suphp.conf, 1.1, 1.2
- Next message: rpms/mod_suphp/devel mod_suphp-0.6.1-AddHandler.patch, NONE, 1.1 .cvsignore, 1.3, 1.4
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
More information about the scm-commits
mailing list