source: server/common/patches/httpd-suexec-scripts.patch @ 204

Last change on this file since 204 was 204, checked in by presbrey, 17 years ago
gems install script rpms install script user import signup script suexec SELinux error bug fix
File size: 4.5 KB
RevLine 
[1]1# scripts.mit.edu httpd suexec patch
[103]2# Copyright (C) 2006  Jeff Arnold <jbarnold@mit.edu>, Joe Presbrey <presbrey@mit.edu>
[1]3#
4# This program is free software; you can redistribute it and/or
5# modify it under the terms of the GNU General Public License
6# as published by the Free Software Foundation; either version 2
7# of the License, or (at your option) any later version.
8#
9# This program is distributed in the hope that it will be useful,
10# but WITHOUT ANY WARRANTY; without even the implied warranty of
11# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
12# GNU General Public License for more details.
13#
14# You should have received a copy of the GNU General Public License
15# along with this program; if not, write to the Free Software
16# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA
17#
18# See /COPYRIGHT in this repository for more information.
19#
[103]20--- httpd-2.2.2/support/Makefile.in.old 2005-07-06 19:15:34.000000000 -0400
21+++ httpd-2.2.2/support/Makefile.in     2007-01-20 17:12:51.000000000 -0500
22@@ -60,7 +60,7 @@
23
24 suexec_OBJECTS = suexec.lo
25 suexec: $(suexec_OBJECTS)
26-       $(LINK) $(suexec_OBJECTS)
27+       $(LINK) -lselinux $(suexec_OBJECTS)
28
29 htcacheclean_OBJECTS = htcacheclean.lo
30 htcacheclean: $(htcacheclean_OBJECTS)
[1]31--- httpd-2.2.2/support/suexec.c.old    2006-04-21 21:53:06.000000000 -0400
32+++ httpd-2.2.2/support/suexec.c        2006-08-25 10:04:22.000000000 -0400
[103]33@@ -46,6 +46,7 @@
34 #include <stdio.h>
35 #include <stdarg.h>
36 #include <stdlib.h>
37+#include <selinux/selinux.h>
38 
39 #ifdef HAVE_PWD_H
40 #include <pwd.h>
41@@ -95,6 +96,7 @@
[1]42 {
43     /* variable name starts with */
44     "HTTP_",
45+    "HTTPS_",
46     "SSL_",
47 
48     /* variable name is */
[103]49@@ -140,6 +142,7 @@
[1]50     "UNIQUE_ID=",
51     "USER_NAME=",
52     "TZ=",
53+    "PHPRC=",
54     NULL
55 };
56 
[103]57@@ -450,7 +453,7 @@
58      * Error out if attempt is made to execute as root or as
59      * a UID less than AP_UID_MIN.  Tsk tsk.
60      */
61-    if ((uid == 0) || (uid < AP_UID_MIN)) {
62+    if ((uid == 0) || (uid < AP_UID_MIN && uid != 102)) {
63         log_err("cannot run as forbidden uid (%d/%s)\n", uid, cmd);
64         exit(107);
65     }
66@@ -482,6 +485,17 @@
67         log_err("failed to setuid (%ld: %s)\n", uid, cmd);
68         exit(110);
69     }
70+    if (uid == 102) {
[113]71+        if (setexeccon("system_u:system_r:signup_t:s0") == -1) {
[204]72+            log_err("failed to setexeccon (%ld: %s) to signup_t\n", uid, cmd);
[103]73+            exit(201);
74+        }
75+    } else {
76+        if (setexeccon("user_u:user_r:user_t:s0") == -1) {
[204]77+            log_err("failed to setexeccon (%ld: %s) to user_t\n", uid, cmd);
[103]78+            exit(202);
79+        }
80+    }
81 
82     /*
83      * Get the current working directory, as well as the proper
84@@ -513,6 +527,12 @@
[1]85             exit(113);
86         }
87     }
88+    char *expected = malloc(strlen(target_homedir)+strlen(AP_USERDIR_SUFFIX)+1);
89+    sprintf(expected, "%s/%s", target_homedir, AP_USERDIR_SUFFIX);
90+    if ((strncmp(cwd, expected, strlen(expected))) != 0) {
91+        log_err("error: file's directory not a subdirectory of user's home directory (%s, %s)\n", cwd, expected);
92+        exit(114);
93+    }
94 
95     if ((strncmp(cwd, dwd, strlen(dwd))) != 0) {
96         log_err("command not in docroot (%s/%s)\n", cwd, cmd);
[103]97@@ -530,15 +550,17 @@
[1]98     /*
99      * Error out if cwd is writable by others.
100      */
101+#if 0
102     if ((dir_info.st_mode & S_IWOTH) || (dir_info.st_mode & S_IWGRP)) {
103         log_err("directory is writable by others: (%s)\n", cwd);
104         exit(116);
105     }
106+#endif
107 
108     /*
109      * Error out if we cannot stat the program.
110      */
111-    if (((lstat(cmd, &prg_info)) != 0) || (S_ISLNK(prg_info.st_mode))) {
112+    if (((lstat(cmd, &prg_info)) != 0) /*|| (S_ISLNK(prg_info.st_mode))*/) {
113         log_err("cannot stat program: (%s)\n", cmd);
114         exit(117);
115     }
[103]116@@ -546,10 +568,12 @@
[1]117     /*
118      * Error out if the program is writable by others.
119      */
120+#if 0
121     if ((prg_info.st_mode & S_IWOTH) || (prg_info.st_mode & S_IWGRP)) {
122         log_err("file is writable by others: (%s/%s)\n", cwd, cmd);
123         exit(118);
124     }
125+#endif
126 
127     /*
128      * Error out if the file is setuid or setgid.
[103]129@@ -563,6 +587,7 @@
[1]130      * Error out if the target name/group is different from
131      * the name/group of the cwd or the program.
132      */
133+#if 0
134     if ((uid != dir_info.st_uid) ||
135         (gid != dir_info.st_gid) ||
136         (uid != prg_info.st_uid) ||
[103]137@@ -574,6 +599,7 @@
[1]138                 prg_info.st_uid, prg_info.st_gid);
139         exit(120);
140     }
141+#endif
142     /*
143      * Error out if the program is not executable for the user.
144      * Otherwise, she won't find any error in the logs except for
Note: See TracBrowser for help on using the repository browser.