Changeset 823


Ignore:
Timestamp:
Aug 29, 2008, 9:38:00 AM (16 years ago)
Author:
geofft
Message:
Add suexec support for things in a trusted directory, so we can make a trusted
svn, etc. wrapper and su to the target user to use their permissions.

This commit is being made with svnserve being invoked by such a trusted
wrapper. Let's see if it works.
Location:
server
Files:
2 edited

Legend:

Unmodified
Added
Removed
  • server/common/patches/httpd-suexec-scripts.patch

    r618 r823  
    11# scripts.mit.edu httpd suexec patch
    2 # Copyright (C) 2006, 2007  Jeff Arnold <jbarnold@mit.edu>, Joe Presbrey <presbrey@mit.edu>, Anders Kaseorg <andersk@mit.edu>
     2# Copyright (C) 2006, 2007, 2008  Jeff Arnold <jbarnold@mit.edu>,
     3#                                 Joe Presbrey <presbrey@mit.edu>,
     4#                                 Anders Kaseorg <andersk@mit.edu>,
     5#                                 Geoffrey Thomas <geofft@mit.edu>
    36#
    47# This program is free software; you can redistribute it and/or
     
    2932 htcacheclean_OBJECTS = htcacheclean.lo
    3033 htcacheclean: $(htcacheclean_OBJECTS)
     34--- httpd-2.2.2/configure.in.old        2007-07-17 10:48:25.000000000 -0400
     35+++ httpd-2.2.2/configure.in    2008-08-29 08:15:41.000000000 -0400
     36@@ -559,6 +559,10 @@
     37 APACHE_HELP_STRING(--with-suexec-userdir,User subdirectory),[
     38   AC_DEFINE_UNQUOTED(AP_USERDIR_SUFFIX, "$withval", [User subdirectory] ) ] )
     39 
     40+AC_ARG_WITH(suexec-trusteddir,
     41+APACHE_HELP_STRING(--with-suexec-trusteddir,Trusted SuExec directory),[
     42+  AC_DEFINE_UNQUOTED(AP_TRUSTED_DIRECTORY, "$withval", [Trusted SuExec directory] ) ] )
     43+
     44 AC_ARG_WITH(suexec-docroot,
     45 APACHE_HELP_STRING(--with-suexec-docroot,SuExec root directory),[
     46   AC_DEFINE_UNQUOTED(AP_DOC_ROOT, "$withval", [SuExec root directory] ) ] )
    3147--- httpd-2.2.2/support/suexec.c.old    2006-04-21 21:53:06.000000000 -0400
    3248+++ httpd-2.2.2/support/suexec.c        2007-05-22 10:32:04.000000000 -0400
     
    6480 };
    6581 
    66 @@ -245,6 +250,54 @@
     82@@ -245,9 +250,58 @@
    6783     environ = cleanenv;
    6884 }
     
    119135 {
    120136     int userdir = 0;        /* ~userdir flag             */
    121 @@ -450,7 +501,7 @@
     137+    int trusteddir = 0;     /* TRUSTED_DIRECTORY flag    */
     138     uid_t uid;              /* user information          */
     139     gid_t gid;              /* target group placeholder  */
     140     char *target_uname;     /* target user name          */
     141@@ -350,6 +404,20 @@
     142 #endif /*_OSD_POSIX*/
     143 
     144     /*
     145+     * First check if this is an absolute path to the directory
     146+     * of trusted executables. These are supposed to be security
     147+     * audited to check parameters and validity on their own...
     148+     */
     149+    if (strstr(cmd, AP_TRUSTED_DIRECTORY) == cmd) {
     150+        if (strstr(cmd, "/../") != NULL) {
     151+            log_err("invalid command (%s)\n", cmd);
     152+            exit(104);
     153+        }
     154+        trusteddir = 1;
     155+        goto TRUSTED_DIRECTORY;
     156+    }
     157+
     158+    /*
     159      * Check for a leading '/' (absolute path) in the command to be executed,
     160      * or attempts to back up out of the current directory,
     161      * to protect against attacks.  If any are
     162@@ -371,6 +439,7 @@
     163         userdir = 1;
     164     }
     165 
     166+TRUSTED_DIRECTORY:
     167     /*
     168      * Error out if the target username is invalid.
     169      */
     170@@ -450,7 +519,7 @@
    122171      * Error out if attempt is made to execute as root or as
    123172      * a UID less than AP_UID_MIN.  Tsk tsk.
     
    128177         exit(107);
    129178     }
    130 @@ -482,6 +533,19 @@
     179@@ -482,6 +551,19 @@
    131180         log_err("failed to setuid (%ld: %s)\n", uid, cmd);
    132181         exit(110);
     
    148197     /*
    149198      * Get the current working directory, as well as the proper
    150 @@ -513,6 +575,13 @@
    151              exit(113);
     199@@ -504,6 +586,21 @@
     200             log_err("cannot get docroot information (%s)\n", target_homedir);
     201             exit(112);
    152202         }
    153      }
    154 +    size_t expected_len = strlen(target_homedir)+1+strlen(AP_USERDIR_SUFFIX)+1;
    155 +    char *expected = malloc(expected_len);
    156 +    snprintf(expected, expected_len, "%s/%s", target_homedir, AP_USERDIR_SUFFIX);
    157 +    if (strncmp(cwd, expected, expected_len-1) != 0) {
    158 +        log_err("error: file's directory not a subdirectory of user's home directory (%s, %s)\n", cwd, expected);
    159 +        exit(114);
    160 +    }
    161  
    162      if ((strncmp(cwd, dwd, strlen(dwd))) != 0) {
    163          log_err("command not in docroot (%s/%s)\n", cwd, cmd);
    164 @@ -530,15 +598,17 @@
     203+        size_t expected_len = strlen(target_homedir)+1+strlen(AP_USERDIR_SUFFIX)+1;
     204+        char *expected = malloc(expected_len);
     205+        snprintf(expected, expected_len, "%s/%s", target_homedir, AP_USERDIR_SUFFIX);
     206+        if (strncmp(cwd, expected, expected_len-1) != 0) {
     207+            log_err("error: file's directory not a subdirectory of user's home directory (%s, %s)\n", cwd, expected);
     208+            exit(114);
     209+        }
     210+    }
     211+    else if (trusteddir) {
     212+        if (((chdir(AP_TRUSTED_DIRECTORY)) != 0) ||
     213+            ((getcwd(dwd, AP_MAXPATH)) == NULL) |
     214+            ((chdir(cwd)) != 0)) {
     215+            log_err("cannot get docroot information (%s)\n", AP_TRUSTED_DIRECTORY);
     216+            exit(112);
     217+        }
     218     }
     219     else {
     220         if (((chdir(AP_DOC_ROOT)) != 0) ||
     221@@ -530,15 +627,17 @@
    165222     /*
    166223      * Error out if cwd is writable by others.
     
    181238         exit(117);
    182239     }
    183 @@ -546,10 +616,12 @@
     240@@ -546,10 +645,12 @@
    184241     /*
    185242      * Error out if the program is writable by others.
     
    194251     /*
    195252      * Error out if the file is setuid or setgid.
    196 @@ -563,6 +635,7 @@
     253@@ -563,6 +664,7 @@
    197254      * Error out if the target name/group is different from
    198255      * the name/group of the cwd or the program.
     
    202259         (gid != dir_info.st_gid) ||
    203260         (uid != prg_info.st_uid) ||
    204 @@ -574,6 +647,7 @@
     261@@ -574,6 +676,7 @@
    205262                 prg_info.st_uid, prg_info.st_gid);
    206263         exit(120);
     
    210267      * Error out if the program is not executable for the user.
    211268      * Otherwise, she won't find any error in the logs except for
    212 @@ -609,6 +683,13 @@
    213          log = NULL;
     269@@ -606,6 +709,13 @@
     270       exit(122);
    214271     }
    215272 
  • server/fedora/Makefile

    r815 r823  
    141141        cd httpd-2*; \
    142142        patch -p1 < ${patches}/httpd-suexec-scripts.patch; \
    143         ./configure --prefix=/etc/httpd --with-suexec-userdir=web_scripts --with-suexec-caller=apache --with-suexec-uidmin=50 --with-suexec-gidmin=50 --with-suexec-docroot=/; \
     143        autoreconf; \
     144        ./configure --prefix=/etc/httpd --with-suexec-userdir=web_scripts --with-suexec-caller=apache --with-suexec-uidmin=50 --with-suexec-gidmin=50 --with-suexec-docroot=/ --with-suexec-trusteddir=/usr/libexec/scripts-trusted; \
    144145        pushd support; \
    145146        mkdir -p ${out_sbin}; make suexec && cp suexec ${out_sbin}; \
Note: See TracChangeset for help on using the changeset viewer.