Changeset 2591 for trunk/server/common/patches/httpd-suexec-scripts.patch

Timestamp:

Aug 27, 2014, 10:06:17 PM (10 years ago)

Author:

achernya

Message:

Reintegrate fc20-dev into trunk

Location:

trunk

Files:

• . (modified) (1 prop)
• server/common/patches/httpd-suexec-scripts.patch (modified) (16 diffs)

trunk/server/common/patches/httpd-suexec-scripts.patch

@@ -1 @@
-# scripts.mit.edu httpd suexec patch
-# Copyright (C) 2006, 2007, 2008  Jeff Arnold <jbarnold@mit.edu>,
-#                                 Joe Presbrey <presbrey@mit.edu>,
-#                                 Anders Kaseorg <andersk@mit.edu>,
-#                                 Geoffrey Thomas <geofft@mit.edu>
-#
-# This program is free software; you can redistribute it and/or
-# modify it under the terms of the GNU General Public License
-# as published by the Free Software Foundation; either version 2
-# of the License, or (at your option) any later version.
-#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with this program; if not, write to the Free Software
-# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA
-#
-# See /COPYRIGHT in this repository for more information.
-#
---- httpd-2.2.2/support/Makefile.in.old 2005-07-06 19:15:34.000000000 -0400
-+++ httpd-2.2.2/support/Makefile.in     2007-01-20 17:12:51.000000000 -0500
-@@ -60,7 +60,7 @@
-
- suexec_OBJECTS = suexec.lo
- suexec: $(suexec_OBJECTS)
--       $(LINK) $(suexec_OBJECTS)
-+       $(LINK) -lselinux $(suexec_OBJECTS)
-
- htcacheclean_OBJECTS = htcacheclean.lo
- htcacheclean: $(htcacheclean_OBJECTS)
---- httpd-2.2.2/configure.in.old        2007-07-17 10:48:25.000000000 -0400
-+++ httpd-2.2.2/configure.in    2008-08-29 08:15:41.000000000 -0400
-@@ -559,6 +559,10 @@
+From 427d432a56df94d69a11cc438b08adb070615005 Mon Sep 17 00:00:00 2001
+From: Alexander Chernyakhovsky <achernya@mit.edu>
+Date: Fri, 3 May 2013 21:38:58 -0400
+Subject: [PATCH] Add scripts-specific support to suexec
+
+This patch make suexec aware of static-cat, Scripts' tool to serve
+static content out of AFS.  Specifically, this introduces a whitelist
+of extensions for which suexec is supposed to invoke static-cat as a
+content-handler.
+
+Additionally, this patch also sets JAVA_TOOL_OPTIONS, to allow the JVM
+to start up in Scripts' limited memory environment.
+
+Furthermore, this patch deals with some of suexec's paranoia being
+incorrect in an AFS world, by ignoring some of the irrelevant stat
+results.
+
+Finally, add support for invoking php-cgi for php files, in a safe
+manner that will strip arguments passed by Apache to php-cgi.
+---
+ configure.in     |   4 ++
+ support/suexec.c | 172 ++++++++++++++++++++++++++++++++++++++++++++++++++++++-
+ 2 files changed, 173 insertions(+), 3 deletions(-)
+
+diff --git a/configure.in b/configure.in
+index 811aace..a95349f 100644
+--- a/configure.in
++++ b/configure.in
+@@ -721,6 +721,10 @@ AC_ARG_WITH(suexec-userdir,
  APACHE_HELP_STRING(--with-suexec-userdir,User subdirectory),[
    AC_DEFINE_UNQUOTED(AP_USERDIR_SUFFIX, "$withval", [User subdirectory] ) ] )
@@ -45 +38 @@
  APACHE_HELP_STRING(--with-suexec-docroot,SuExec root directory),[
    AC_DEFINE_UNQUOTED(AP_DOC_ROOT, "$withval", [SuExec root directory] ) ] )
---- httpd-2.2.11/support/suexec.c.old   2008-11-30 10:47:31.000000000 -0500
-+++ httpd-2.2.11/support/suexec.c       2009-06-08 09:02:17.000000000 -0400
+diff --git a/support/suexec.c b/support/suexec.c
+index 32e7320..3a4d802 100644
+--- a/support/suexec.c
++++ b/support/suexec.c
 @@ -30,6 +30,9 @@
   *
@@ -57 +52 @@
  #include "ap_config.h"
  #include "suexec.h"
-@@ -46,6 +49,7 @@
- #include <stdio.h>
- #include <stdarg.h>
- #include <stdlib.h>
-+#include <selinux/selinux.h>
- 
- #ifdef HAVE_PWD_H
- #include <pwd.h>
-@@ -95,6 +99,7 @@
+@@ -92,6 +95,7 @@ static const char *const safe_env_lst[] =
  {
      /* variable name starts with */
@@ -73 +60 @@
  
      /* variable name is */
-@@ -245,9 +250,108 @@
+@@ -268,9 +272,108 @@ static void clean_env(void)
      environ = cleanenv;
  }
@@ -182 +169 @@
      gid_t gid;              /* target group placeholder  */
      char *target_uname;     /* target user name          */
-@@ -268,6 +368,7 @@
+@@ -290,6 +393,7 @@ int main(int argc, char *argv[])
       * Start with a "clean" environment
       */
@@ -188 +175 @@
 +    setenv("JAVA_TOOL_OPTIONS", "-Xmx128M", 1); /* scripts.mit.edu local hack */
  
-     prog = argv[0];
-     /*
-@@ -350,6 +451,20 @@
+     /*
+      * Check existence/validity of the UID of the user
+@@ -373,6 +477,20 @@ int main(int argc, char *argv[])
  #endif /*_OSD_POSIX*/
  
@@ -211 +198 @@
       * or attempts to back up out of the current directory,
       * to protect against attacks.  If any are
-@@ -371,6 +486,7 @@
+@@ -394,6 +512,7 @@ int main(int argc, char *argv[])
          userdir = 1;
      }
@@ -219 +206 @@
       * Error out if the target username is invalid.
       */
-@@ -452,7 +568,7 @@
+@@ -482,7 +601,7 @@ int main(int argc, char *argv[])
       * Error out if attempt is made to execute as root or as
       * a UID less than AP_UID_MIN.  Tsk tsk.
@@ -225 +212 @@
 -    if ((uid == 0) || (uid < AP_UID_MIN)) {
 +    if ((uid == 0) || (uid < AP_UID_MIN && uid != 102)) { /* uid 102 = signup  */
-         log_err("cannot run as forbidden uid (%d/%s)\n", uid, cmd);
+         log_err("cannot run as forbidden uid (%lu/%s)\n", (unsigned long)uid, cmd);
          exit(107);
      }
-@@ -484,6 +599,7 @@
-         log_err("failed to setuid (%ld: %s)\n", uid, cmd);
+@@ -514,6 +633,7 @@ int main(int argc, char *argv[])
+         log_err("failed to setuid (%lu: %s)\n", (unsigned long)uid, cmd);
          exit(110);
      }
@@ -236 +223 @@
      /*
       * Get the current working directory, as well as the proper
-@@ -506,6 +637,21 @@
+@@ -536,6 +656,21 @@ int main(int argc, char *argv[])
              log_err("cannot get docroot information (%s)\n", target_homedir);
              exit(112);
@@ -258 +245 @@
      else {
          if (((chdir(AP_DOC_ROOT)) != 0) ||
-@@ -532,15 +678,17 @@
+@@ -562,15 +697,17 @@ int main(int argc, char *argv[])
      /*
       * Error out if cwd is writable by others.
@@ -277 +264 @@
          exit(117);
      }
-@@ -548,10 +696,12 @@
+@@ -578,10 +715,12 @@ int main(int argc, char *argv[])
      /*
       * Error out if the program is writable by others.
@@ -290 +277 @@
      /*
       * Error out if the file is setuid or setgid.
-@@ -565,6 +715,7 @@
+@@ -595,6 +734,7 @@ int main(int argc, char *argv[])
       * Error out if the target name/group is different from
       * the name/group of the cwd or the program.
@@ -298 +285 @@
          (gid != dir_info.st_gid) ||
          (uid != prg_info.st_uid) ||
-@@ -576,12 +727,14 @@
-                 prg_info.st_uid, prg_info.st_gid);
+@@ -606,12 +746,14 @@ int main(int argc, char *argv[])
+                 (unsigned long)prg_info.st_uid, (unsigned long)prg_info.st_gid);
          exit(120);
      }
@@ -314 +301 @@
          exit(121);
      }
-@@ -614,6 +767,30 @@
+@@ -660,6 +802,30 @@ int main(int argc, char *argv[])
      /*
       * Execute the command, replacing our image with its own.
@@ -345 +332 @@
      /* We need the #! emulation when we want to execute scripts */
      {
+-- 
+1.8.1.2
+