Ignore:
Timestamp:
Jan 20, 2007, 10:24:14 PM (18 years ago)
Author:
presbrey
Message:
suexec SELinux transition
File:
1 edited

Legend:

Unmodified
Added
Removed
  • server/common/patches/httpd-suexec-scripts.patch

    r1 r103  
    11# scripts.mit.edu httpd suexec patch
    2 # Copyright (C) 2006  Jeff Arnold <jbarnold@mit.edu>
     2# Copyright (C) 2006  Jeff Arnold <jbarnold@mit.edu>, Joe Presbrey <presbrey@mit.edu>
    33#
    44# This program is free software; you can redistribute it and/or
     
    1818# See /COPYRIGHT in this repository for more information.
    1919#
     20--- httpd-2.2.2/support/Makefile.in.old 2005-07-06 19:15:34.000000000 -0400
     21+++ httpd-2.2.2/support/Makefile.in     2007-01-20 17:12:51.000000000 -0500
     22@@ -60,7 +60,7 @@
     23
     24 suexec_OBJECTS = suexec.lo
     25 suexec: $(suexec_OBJECTS)
     26-       $(LINK) $(suexec_OBJECTS)
     27+       $(LINK) -lselinux $(suexec_OBJECTS)
     28
     29 htcacheclean_OBJECTS = htcacheclean.lo
     30 htcacheclean: $(htcacheclean_OBJECTS)
    2031--- httpd-2.2.2/support/suexec.c.old    2006-04-21 21:53:06.000000000 -0400
    2132+++ httpd-2.2.2/support/suexec.c        2006-08-25 10:04:22.000000000 -0400
    22 @@ -95,6 +95,7 @@
     33@@ -46,6 +46,7 @@
     34 #include <stdio.h>
     35 #include <stdarg.h>
     36 #include <stdlib.h>
     37+#include <selinux/selinux.h>
     38 
     39 #ifdef HAVE_PWD_H
     40 #include <pwd.h>
     41@@ -95,6 +96,7 @@
    2342 {
    2443     /* variable name starts with */
     
    2847 
    2948     /* variable name is */
    30 @@ -140,6 +141,7 @@
     49@@ -140,6 +142,7 @@
    3150     "UNIQUE_ID=",
    3251     "USER_NAME=",
     
    3655 };
    3756 
    38 @@ -513,6 +515,12 @@
     57@@ -450,7 +453,7 @@
     58      * Error out if attempt is made to execute as root or as
     59      * a UID less than AP_UID_MIN.  Tsk tsk.
     60      */
     61-    if ((uid == 0) || (uid < AP_UID_MIN)) {
     62+    if ((uid == 0) || (uid < AP_UID_MIN && uid != 102)) {
     63         log_err("cannot run as forbidden uid (%d/%s)\n", uid, cmd);
     64         exit(107);
     65     }
     66@@ -482,6 +485,17 @@
     67         log_err("failed to setuid (%ld: %s)\n", uid, cmd);
     68         exit(110);
     69     }
     70+    if (uid == 102) {
     71+        if (setexeccon("user_u:user_r:signup_t:s0") == -1) {
     72+            log_err("failed to setexeccon (%ld: %s) to signup_t\n");
     73+            exit(201);
     74+        }
     75+    } else {
     76+        if (setexeccon("user_u:user_r:user_t:s0") == -1) {
     77+            log_err("failed to setexeccon (%ld: %s) to user_t\n");
     78+            exit(202);
     79+        }
     80+    }
     81 
     82     /*
     83      * Get the current working directory, as well as the proper
     84@@ -513,6 +527,12 @@
    3985             exit(113);
    4086         }
     
    4995     if ((strncmp(cwd, dwd, strlen(dwd))) != 0) {
    5096         log_err("command not in docroot (%s/%s)\n", cwd, cmd);
    51 @@ -530,15 +538,17 @@
     97@@ -530,15 +550,17 @@
    5298     /*
    5399      * Error out if cwd is writable by others.
     
    68114         exit(117);
    69115     }
    70 @@ -546,10 +556,12 @@
     116@@ -546,10 +568,12 @@
    71117     /*
    72118      * Error out if the program is writable by others.
     
    81127     /*
    82128      * Error out if the file is setuid or setgid.
    83 @@ -563,6 +575,7 @@
     129@@ -563,6 +587,7 @@
    84130      * Error out if the target name/group is different from
    85131      * the name/group of the cwd or the program.
     
    89135         (gid != dir_info.st_gid) ||
    90136         (uid != prg_info.st_uid) ||
    91 @@ -574,6 +587,7 @@
     137@@ -574,6 +599,7 @@
    92138                 prg_info.st_uid, prg_info.st_gid);
    93139         exit(120);
Note: See TracChangeset for help on using the changeset viewer.