source: server/common/patches/httpd-suexec-scripts.patch @ 204

Last change on this file since 204 was 204, checked in by presbrey, 17 years ago
gems install script rpms install script user import signup script suexec SELinux error bug fix
File size: 4.5 KB

  • httpd-2.2.2/support/Makefile.in 

    # scripts.mit.edu httpd suexec patch
# Copyright (C) 2006  Jeff Arnold <jbarnold@mit.edu>, Joe Presbrey <presbrey@mit.edu>
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License
# as published by the Free Software Foundation; either version 2
# of the License, or (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA
#
# See /COPYRIGHT in this repository for more information.
#
    old new  
    6060
    6161suexec_OBJECTS = suexec.lo
    6262suexec: $(suexec_OBJECTS)
    63         $(LINK) $(suexec_OBJECTS)
     63        $(LINK) -lselinux $(suexec_OBJECTS)
    6464
    6565htcacheclean_OBJECTS = htcacheclean.lo
    6666htcacheclean: $(htcacheclean_OBJECTS)

  • httpd-2.2.2/support/suexec.c

    old new  
    4646#include <stdio.h>
    4747#include <stdarg.h>
    4848#include <stdlib.h>
     49#include <selinux/selinux.h>
    4950
    5051#ifdef HAVE_PWD_H
    5152#include <pwd.h>
     
    9596{
    9697    /* variable name starts with */
    9798    "HTTP_",
     99    "HTTPS_",
    98100    "SSL_",
    99101
    100102    /* variable name is */
     
    140142    "UNIQUE_ID=",
    141143    "USER_NAME=",
    142144    "TZ=",
     145    "PHPRC=",
    143146    NULL
    144147};
    145148
     
    450453     * Error out if attempt is made to execute as root or as
    451454     * a UID less than AP_UID_MIN.  Tsk tsk.
    452455     */
    453     if ((uid == 0) || (uid < AP_UID_MIN)) {
     456    if ((uid == 0) || (uid < AP_UID_MIN && uid != 102)) {
    454457        log_err("cannot run as forbidden uid (%d/%s)\n", uid, cmd);
    455458        exit(107);
    456459    }
     
    482485        log_err("failed to setuid (%ld: %s)\n", uid, cmd);
    483486        exit(110);
    484487    }
     488    if (uid == 102) {
     489        if (setexeccon("system_u:system_r:signup_t:s0") == -1) {
     490            log_err("failed to setexeccon (%ld: %s) to signup_t\n", uid, cmd);
     491            exit(201);
     492        }
     493    } else {
     494        if (setexeccon("user_u:user_r:user_t:s0") == -1) {
     495            log_err("failed to setexeccon (%ld: %s) to user_t\n", uid, cmd);
     496            exit(202);
     497        }
     498    }
    485499
    486500    /*
    487501     * Get the current working directory, as well as the proper
     
    513527            exit(113);
    514528        }
    515529    }
     530    char *expected = malloc(strlen(target_homedir)+strlen(AP_USERDIR_SUFFIX)+1);
     531    sprintf(expected, "%s/%s", target_homedir, AP_USERDIR_SUFFIX);
     532    if ((strncmp(cwd, expected, strlen(expected))) != 0) {
     533        log_err("error: file's directory not a subdirectory of user's home directory (%s, %s)\n", cwd, expected);
     534        exit(114);
     535    }
    516536
    517537    if ((strncmp(cwd, dwd, strlen(dwd))) != 0) {
    518538        log_err("command not in docroot (%s/%s)\n", cwd, cmd);
     
    530550    /*
    531551     * Error out if cwd is writable by others.
    532552     */
     553#if 0
    533554    if ((dir_info.st_mode & S_IWOTH) || (dir_info.st_mode & S_IWGRP)) {
    534555        log_err("directory is writable by others: (%s)\n", cwd);
    535556        exit(116);
    536557    }
     558#endif
    537559
    538560    /*
    539561     * Error out if we cannot stat the program.
    540562     */
    541     if (((lstat(cmd, &prg_info)) != 0) || (S_ISLNK(prg_info.st_mode))) {
     563    if (((lstat(cmd, &prg_info)) != 0) /*|| (S_ISLNK(prg_info.st_mode))*/) {
    542564        log_err("cannot stat program: (%s)\n", cmd);
    543565        exit(117);
    544566    }
     
    546568    /*
    547569     * Error out if the program is writable by others.
    548570     */
     571#if 0
    549572    if ((prg_info.st_mode & S_IWOTH) || (prg_info.st_mode & S_IWGRP)) {
    550573        log_err("file is writable by others: (%s/%s)\n", cwd, cmd);
    551574        exit(118);
    552575    }
     576#endif
    553577
    554578    /*
    555579     * Error out if the file is setuid or setgid.
     
    563587     * Error out if the target name/group is different from
    564588     * the name/group of the cwd or the program.
    565589     */
     590#if 0
    566591    if ((uid != dir_info.st_uid) ||
    567592        (gid != dir_info.st_gid) ||
    568593        (uid != prg_info.st_uid) ||
     
    574599                prg_info.st_uid, prg_info.st_gid);
    575600        exit(120);
    576601    }
     602#endif
    577603    /*
    578604     * Error out if the program is not executable for the user.
    579605     * Otherwise, she won't find any error in the logs except for
Note: See TracBrowser for help on using the repository browser.