[httpd] fix #716621 - suexec now works without setuid bit

Jan Kaluža jkaluza at fedoraproject.org
Wed Jul 20 06:54:21 UTC 2011 

commit a1caf8d2f64f50c4bfc562f9ffd35ac762ce987e
Author: Jan Kaluza <hanzz.k at gmail.com>
Date:   Wed Jul 20 08:53:17 2011 +0200

    fix #716621 - suexec now works without setuid bit

 httpd-2.2.9-suenable.patch |   17 ++++++++++++-----
 httpd.spec                 |    8 ++++++--
 2 files changed, 18 insertions(+), 7 deletions(-)
---
diff --git a/httpd-2.2.9-suenable.patch b/httpd-2.2.9-suenable.patch
index a449237..9e9f70f 100644
--- a/httpd-2.2.9-suenable.patch
+++ b/httpd-2.2.9-suenable.patch
@@ -1,13 +1,20 @@
+Removes setuid check because we are now using capabilities to ensure proper
+suexec rights.
 
-Upstream-Status: in trunk, differently
+Upstream-status: Not acceptable for upstream in current status.
+suexec_enabled part is in trunk,differently
 
---- httpd-2.2.9/os/unix/unixd.c.suenable
-+++ httpd-2.2.9/os/unix/unixd.c
-@@ -215,7 +215,7 @@ AP_DECLARE(void) unixd_pre_config(apr_po
+diff --git a/os/unix/unixd.c b/os/unix/unixd.c
+index 85d5a98..1ee1dfe 100644
+--- a/os/unix/unixd.c
++++ b/os/unix/unixd.c
+@@ -271,8 +271,8 @@ AP_DECLARE(void) unixd_pre_config(apr_pool_t *ptemp)
+         return;
      }
  
-     if ((wrapper.protection & APR_USETID) && wrapper.user == 0) {
+-    if ((wrapper.protection & APR_USETID) && wrapper.user == 0) {
 -        unixd_config.suexec_enabled = 1;
++    if (wrapper.user == 0) {
 +        unixd_config.suexec_enabled = access(SUEXEC_BIN, R_OK|X_OK) == 0;
      }
  }
diff --git a/httpd.spec b/httpd.spec
index 1682a98..57de07a 100644
--- a/httpd.spec
+++ b/httpd.spec
@@ -8,7 +8,7 @@
 Summary: Apache HTTP Server
 Name: httpd
 Version: 2.2.19
-Release: 2%{?dist}
+Release: 3%{?dist}
 URL: http://httpd.apache.org/
 Source0: http://www.apache.org/dist/httpd/httpd-%{version}.tar.gz
 Source1: index.html
@@ -452,7 +452,8 @@ rm -rf $RPM_BUILD_ROOT
 %{_sbindir}/ht*
 %{_sbindir}/apachectl
 %{_sbindir}/rotatelogs
-%caps(cap_setuid,cap_setgid+pe) %attr(510,root,%{suexec_caller}) %{_sbindir}/suexec
+# cap_dac_override needed to write to /var/log/httpd
+%caps(cap_setuid,cap_setgid,cap_dac_override+pe) %attr(510,root,%{suexec_caller}) %{_sbindir}/suexec
 
 %dir %{_libdir}/httpd
 %dir %{_libdir}/httpd/modules
@@ -511,6 +512,9 @@ rm -rf $RPM_BUILD_ROOT
 %{_libdir}/httpd/build/*.sh
 
 %changelog
+* Wed Jul 20 2011 Jan Kaluza <jkaluza at redhat.com> - 2.2.19-3
+- fix #716621 - suexec now works without setuid bit
+
 * Thu Jul 14 2011 Jan Kaluza <jkaluza at redhat.com> - 2.2.19-2
 - fix #689091 - backported patch from 2.3 branch to support IPv6 in logresolve

More information about the scm-commits mailing list