Index: /trunk/server/common/patches/httpd-suexec-cloexec.patch =================================================================== --- /trunk/server/common/patches/httpd-suexec-cloexec.patch (revision 1356) +++ /trunk/server/common/patches/httpd-suexec-cloexec.patch (revision 1356) @@ -0,0 +1,52 @@ +From: Stefan Fritsch +Date: Sat, 3 Oct 2009 13:46:48 +0000 +Subject: suexec: Allow to log an error if exec fails by setting FD_CLOEXEC on the log file instead of closing it. + +PR: 10744 +Submitted by: Nicolas Rachinsky +Reviewed by: Stefan Fritsch + +Origin: upstream, http://svn.apache.org/viewvc?rev=821321&view=rev +Bug: https://issues.apache.org/bugzilla/show_bug.cgi?id=10744 +--- + support/suexec.c | 18 +++++++++--------- + 1 files changed, 9 insertions(+), 9 deletions(-) + +diff --git a/support/suexec.c b/support/suexec.c +index cb4e85f..85e1318 100644 +--- a/support/suexec.c ++++ b/support/suexec.c +@@ -49,6 +49,7 @@ + #include + #include + #include ++#include + #include + + #ifdef HAVE_PWD_H +@@ -714,17 +715,16 @@ TRUSTED_DIRECTORY: + #endif /* AP_SUEXEC_UMASK */ + + /* +- * Be sure to close the log file so the CGI can't +- * mess with it. If the exec fails, it will be reopened +- * automatically when log_err is called. Note that the log +- * might not actually be open if AP_LOG_EXEC isn't defined. +- * However, the "log" cell isn't ifdef'd so let's be defensive +- * and assume someone might have done something with it +- * outside an ifdef'd AP_LOG_EXEC block. ++ * ask fcntl(2) to set the FD_CLOEXEC flag on the log file, ++ * so it'll be automagically closed if the exec() call succeeds. + */ + if (log != NULL) { +- fclose(log); +- log = NULL; ++ fflush(log); ++ setbuf(log,NULL); ++ if ((fcntl(fileno(log), F_SETFD, FD_CLOEXEC) == -1)) { ++ log_err("error: can't set close-on-exec flag"); ++ exit(122); ++ } + } + + /* Index: /trunk/server/fedora/specs/httpd.spec.patch =================================================================== --- /trunk/server/fedora/specs/httpd.spec.patch (revision 1355) +++ /trunk/server/fedora/specs/httpd.spec.patch (revision 1356) @@ -10,5 +10,5 @@ Source0: http://www.apache.org/dist/httpd/httpd-%{version}.tar.gz Source1: index.html -@@ -55,6 +55,12 @@ +@@ -55,6 +55,13 @@ Conflicts: pcre < 4.0 Requires: httpd-tools = %{version}-%{release}, apr-util-ldap @@ -19,4 +19,5 @@ +Patch1004: httpd-2.2.x-304.patch +Patch1005: httpd-2.2.x-mod_ssl-sessioncaching.patch ++Patch1006: httpd-suexec-cloexec.patch + %description @@ -31,5 +32,5 @@ %description -n mod_ssl -@@ -128,6 +135,11 @@ +@@ -128,6 +135,12 @@ # Patch in vendor/release string sed "s/@RELEASE@/%{vstring}/" < %{PATCH20} | patch -p1 @@ -39,4 +40,5 @@ +%patch1004 -p1 -b .scripts-304 +%patch1005 -p1 -b .ssl-sessioncache ++%patch1006 -p1 -b .cloexec + # Safety check: prevent build if defined MMN does not equal upstream MMN.