source: server/common/patches/httpd-suexec-scripts.patch @ 403

Last change on this file since 403 was 403, checked in by presbrey, 17 years ago
allow directives like SetEnv PYTHONPATH/PERL5LIB etc.
File size: 6.0 KB

  • httpd-2.2.2/support/Makefile.in 

    # scripts.mit.edu httpd suexec patch
# Copyright (C) 2006, 2007  Jeff Arnold <jbarnold@mit.edu>, Joe Presbrey <presbrey@mit.edu>, Anders Kaseorg <andersk@mit.edu>
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License
# as published by the Free Software Foundation; either version 2
# of the License, or (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA
#
# See /COPYRIGHT in this repository for more information.
#
    old new  
    6060
    6161suexec_OBJECTS = suexec.lo
    6262suexec: $(suexec_OBJECTS)
    63         $(LINK) $(suexec_OBJECTS)
     63        $(LINK) -lselinux $(suexec_OBJECTS)
    6464
    6565htcacheclean_OBJECTS = htcacheclean.lo
    6666htcacheclean: $(htcacheclean_OBJECTS)

  • httpd-2.2.2/support/suexec.c

    old new  
    3030 *
    3131 */
    3232
     33#define STATIC_CAT_PATH "/usr/local/bin/static-cat"
     34
    3335#include "apr.h"
    3436#include "ap_config.h"
    3537#include "suexec.h"
     
    4648#include <stdio.h>
    4749#include <stdarg.h>
    4850#include <stdlib.h>
     51#include <selinux/selinux.h>
    4952
    5053#ifdef HAVE_PWD_H
    5154#include <pwd.h>
     
    9598{
    9699    /* variable name starts with */
    97100    "HTTP_",
     101    "HTTPS_",
    98102    "SSL_",
     103    "PERL",
     104    "PYTHON",
    99105
    100106    /* variable name is */
     
    140146    "UNIQUE_ID=",
    141147    "USER_NAME=",
    142148    "TZ=",
     149    "PHPRC=",
    143150    NULL
    144151};
    145152
     
    245252    environ = cleanenv;
    246253}
    247254
     255static const char *static_extensions[] = {
     256    "html",
     257    "css",
     258    "gif",
     259    "jpg",
     260    "png",
     261    "htm",
     262    "jpeg",
     263    "js",
     264    "ico",
     265    "xml",
     266    "xsl",
     267    "tiff",
     268    "tif",
     269    "tgz",
     270    "tar",
     271    "jar",
     272    "zip",
     273    "pdf",
     274    "ps",
     275    "doc",
     276    "xls",
     277    "ppt",
     278    "swf",
     279    "mp3",
     280    "mov",
     281    "wmv",
     282    "mpg",
     283    "mpeg",
     284    "avi",
     285    "il",
     286    "JPG",
     287    "xhtml",
     288    NULL
     289};
     290
     291static int is_static_extension(const char *file)
     292{
     293    const char *extension = strrchr(file, '.');
     294    const char **p;
     295    if (extension == NULL) return 0;
     296    for (p = static_extensions; *p; ++p) {
     297        if (strcmp(extension + 1, *p) == 0) return 1;
     298    }
     299    return 0;
     300}
     301
    248302int main(int argc, char *argv[])
    249303{
    250304    int userdir = 0;        /* ~userdir flag             */
     
    450504     * Error out if attempt is made to execute as root or as
    451505     * a UID less than AP_UID_MIN.  Tsk tsk.
    452506     */
    453     if ((uid == 0) || (uid < AP_UID_MIN)) {
     507    if ((uid == 0) || (uid < AP_UID_MIN && uid != 102)) {
    454508        log_err("cannot run as forbidden uid (%d/%s)\n", uid, cmd);
    455509        exit(107);
    456510    }
     
    482536        log_err("failed to setuid (%ld: %s)\n", uid, cmd);
    483537        exit(110);
    484538    }
     539    if (is_selinux_enabled()) {
     540        if (uid == 102) {
     541            if (setexeccon("system_u:system_r:signup_t:s0") == -1) {
     542                log_err("failed to setexeccon (%ld: %s) to signup_t\n", uid, cmd);
     543                exit(201);
     544            }
     545        } else {
     546            if (setexeccon("user_u:user_r:user_t:s0") == -1) {
     547                log_err("failed to setexeccon (%ld: %s) to user_t\n", uid, cmd);
     548                exit(202);
     549            }
     550        }
     551    }
    485552
    486553    /*
    487554     * Get the current working directory, as well as the proper
     
    513580            exit(113);
    514581        }
    515582    }
     583    size_t expected_len = strlen(target_homedir)+1+strlen(AP_USERDIR_SUFFIX)+1;
     584    char *expected = malloc(expected_len);
     585    snprintf(expected, expected_len, "%s/%s", target_homedir, AP_USERDIR_SUFFIX);
     586    if (strncmp(cwd, expected, expected_len-1) != 0) {
     587        log_err("error: file's directory not a subdirectory of user's home directory (%s, %s)\n", cwd, expected);
     588        exit(114);
     589    }
    516590
    517591    if ((strncmp(cwd, dwd, strlen(dwd))) != 0) {
    518592        log_err("command not in docroot (%s/%s)\n", cwd, cmd);
     
    530604    /*
    531605     * Error out if cwd is writable by others.
    532606     */
     607#if 0
    533608    if ((dir_info.st_mode & S_IWOTH) || (dir_info.st_mode & S_IWGRP)) {
    534609        log_err("directory is writable by others: (%s)\n", cwd);
    535610        exit(116);
    536611    }
     612#endif
    537613
    538614    /*
    539615     * Error out if we cannot stat the program.
    540616     */
    541     if (((lstat(cmd, &prg_info)) != 0) || (S_ISLNK(prg_info.st_mode))) {
     617    if (((lstat(cmd, &prg_info)) != 0) /*|| (S_ISLNK(prg_info.st_mode))*/) {
    542618        log_err("cannot stat program: (%s)\n", cmd);
    543619        exit(117);
    544620    }
     
    546622    /*
    547623     * Error out if the program is writable by others.
    548624     */
     625#if 0
    549626    if ((prg_info.st_mode & S_IWOTH) || (prg_info.st_mode & S_IWGRP)) {
    550627        log_err("file is writable by others: (%s/%s)\n", cwd, cmd);
    551628        exit(118);
    552629    }
     630#endif
    553631
    554632    /*
    555633     * Error out if the file is setuid or setgid.
     
    563641     * Error out if the target name/group is different from
    564642     * the name/group of the cwd or the program.
    565643     */
     644#if 0
    566645    if ((uid != dir_info.st_uid) ||
    567646        (gid != dir_info.st_gid) ||
    568647        (uid != prg_info.st_uid) ||
     
    574653                prg_info.st_uid, prg_info.st_gid);
    575654        exit(120);
    576655    }
     656#endif
    577657    /*
    578658     * Error out if the program is not executable for the user.
    579659     * Otherwise, she won't find any error in the logs except for
     
    609689        log = NULL;
    610690    }
    611691
     692    if (is_static_extension(cmd)) {
     693        argv[2] = STATIC_CAT_PATH;
     694        execv(STATIC_CAT_PATH, &argv[2]);
     695        log_err("(%d)%s: static_cat exec failed (%s)\n", errno, strerror(errno), argv[2]);
     696        exit(255);
     697    }
     698
    612699    /*
    613700     * Execute the command, replacing our image with its own.
    614701     */
Note: See TracBrowser for help on using the repository browser.