--- rpmbuild/SPECS/httpd.spec.~1~ 2014-07-23 06:24:15.000000000 -0400 +++ httpd.spec 2014-08-26 21:10:34.994027237 -0400 @@ -15,7 +15,7 @@ Summary: Apache HTTP Server Name: httpd Version: 2.4.10 -Release: 1%{?dist} +Release: 1%{?dist}.scripts.%{scriptsversion} URL: http://httpd.apache.org/ Source0: http://www.apache.org/dist/httpd/httpd-%{version}.tar.bz2 Source1: index.html @@ -65,6 +65,13 @@ # Bug fixes Patch55: httpd-2.4.4-malformed-host.patch Patch56: httpd-2.4.4-mod_unique_id.patch + +Patch1001: httpd-suexec-scripts.patch +Patch1002: httpd-mod_status-security.patch +Patch1003: httpd-304s.patch +Patch1004: httpd-fixup-vhost.patch +Patch1005: httpd-allow-null-user.patch + License: ASL 2.0 Group: System Environment/Daemons BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root @@ -77,6 +84,7 @@ Provides: webserver Provides: mod_dav = %{version}-%{release}, httpd-suexec = %{version}-%{release} Provides: httpd-mmn = %{mmn}, httpd-mmn = %{mmnisa}, httpd-mmn = %{oldmmnisa} +Provides: scripts-httpd = %{version}-%{release} Requires: httpd-tools = %{version}-%{release} Requires(pre): /usr/sbin/useradd Requires(preun): systemd-units @@ -94,6 +102,7 @@ Obsoletes: secureweb-devel, apache-devel, stronghold-apache-devel Requires: apr-devel, apr-util-devel, pkgconfig Requires: httpd = %{version}-%{release} +Provides: scripts-httpd-devel = %{version}-%{release} %description devel The httpd-devel package contains the APXS binary and other files @@ -132,6 +141,7 @@ Requires(post): openssl, /bin/cat Requires(pre): httpd Requires: httpd = 0:%{version}-%{release}, httpd-mmn = %{mmnisa} +Provides: scripts-mod_ssl Obsoletes: stronghold-mod_ssl %description -n mod_ssl @@ -190,6 +200,12 @@ %patch55 -p1 -b .malformedhost %patch56 -p1 -b .uniqueid +%patch1001 -p1 -b .suexec-scripts +%patch1002 -p1 -b .mod_status-security +%patch1003 -p1 -b .scripts-304s +%patch1004 -p1 -b .fixup-vhost +%patch1005 -p1 -b .allow-null-user + # Patch in the vendor string sed -i '/^#define PLATFORM/s/Unix/%{vstring}/' os/unix/os.h @@ -242,11 +258,13 @@ --enable-suexec --with-suexec \ --enable-suexec-capabilities \ --with-suexec-caller=%{suexec_caller} \ - --with-suexec-docroot=%{docroot} \ - --without-suexec-logfile \ - --with-suexec-syslog \ + --with-suexec-docroot=/ \ + --with-suexec-userdir=web_scripts \ + --with-suexec-trusteddir=/usr/libexec/scripts-trusted \ + --with-suexec-logfile=%{_localstatedir}/log/httpd/suexec.log \ + --without-suexec-syslog \ --with-suexec-bin=%{_sbindir}/suexec \ - --with-suexec-uidmin=500 --with-suexec-gidmin=100 \ + --with-suexec-uidmin=50 --with-suexec-gidmin=50 \ --enable-pie \ --with-pcre \ --enable-mods-shared=all \ @@ -542,7 +560,8 @@ %{_sbindir}/fcgistarter %{_sbindir}/apachectl %{_sbindir}/rotatelogs -%caps(cap_setuid,cap_setgid+pe) %attr(510,root,%{suexec_caller}) %{_sbindir}/suexec +# cap_dac_override needed to write to /var/log/httpd +%caps(cap_setuid,cap_setgid,cap_dac_override+pe) %attr(510,root,%{suexec_caller}) %{_sbindir}/suexec %dir %{_libdir}/httpd %dir %{_libdir}/httpd/modules @@ -1014,3 +1033,8 @@ * Sun Apr 04 2010 Robert Scheck - 2.2.15-1 - update to 2.2.15 (#572404, #579311) +Patch1001: httpd-suexec-scripts.patch +Patch1002: httpd-mod_status-security.patch +Patch1003: httpd-304s.patch +Patch1004: httpd-fixup-vhost.patch +Patch1005: httpd-allow-null-user.patch