Changeset 823 for server/common/patches
- Timestamp:
- Aug 29, 2008, 9:38:00 AM (16 years ago)
- File:
-
- 1 edited
Legend:
- Unmodified
- Added
- Removed
-
server/common/patches/httpd-suexec-scripts.patch
r618 r823 1 1 # scripts.mit.edu httpd suexec patch 2 # Copyright (C) 2006, 2007 Jeff Arnold <jbarnold@mit.edu>, Joe Presbrey <presbrey@mit.edu>, Anders Kaseorg <andersk@mit.edu> 2 # Copyright (C) 2006, 2007, 2008 Jeff Arnold <jbarnold@mit.edu>, 3 # Joe Presbrey <presbrey@mit.edu>, 4 # Anders Kaseorg <andersk@mit.edu>, 5 # Geoffrey Thomas <geofft@mit.edu> 3 6 # 4 7 # This program is free software; you can redistribute it and/or … … 29 32 htcacheclean_OBJECTS = htcacheclean.lo 30 33 htcacheclean: $(htcacheclean_OBJECTS) 34 --- httpd-2.2.2/configure.in.old 2007-07-17 10:48:25.000000000 -0400 35 +++ httpd-2.2.2/configure.in 2008-08-29 08:15:41.000000000 -0400 36 @@ -559,6 +559,10 @@ 37 APACHE_HELP_STRING(--with-suexec-userdir,User subdirectory),[ 38 AC_DEFINE_UNQUOTED(AP_USERDIR_SUFFIX, "$withval", [User subdirectory] ) ] ) 39 40 +AC_ARG_WITH(suexec-trusteddir, 41 +APACHE_HELP_STRING(--with-suexec-trusteddir,Trusted SuExec directory),[ 42 + AC_DEFINE_UNQUOTED(AP_TRUSTED_DIRECTORY, "$withval", [Trusted SuExec directory] ) ] ) 43 + 44 AC_ARG_WITH(suexec-docroot, 45 APACHE_HELP_STRING(--with-suexec-docroot,SuExec root directory),[ 46 AC_DEFINE_UNQUOTED(AP_DOC_ROOT, "$withval", [SuExec root directory] ) ] ) 31 47 --- httpd-2.2.2/support/suexec.c.old 2006-04-21 21:53:06.000000000 -0400 32 48 +++ httpd-2.2.2/support/suexec.c 2007-05-22 10:32:04.000000000 -0400 … … 64 80 }; 65 81 66 @@ -245, 6 +250,54@@82 @@ -245,9 +250,58 @@ 67 83 environ = cleanenv; 68 84 } … … 119 135 { 120 136 int userdir = 0; /* ~userdir flag */ 121 @@ -450,7 +501,7 @@ 137 + int trusteddir = 0; /* TRUSTED_DIRECTORY flag */ 138 uid_t uid; /* user information */ 139 gid_t gid; /* target group placeholder */ 140 char *target_uname; /* target user name */ 141 @@ -350,6 +404,20 @@ 142 #endif /*_OSD_POSIX*/ 143 144 /* 145 + * First check if this is an absolute path to the directory 146 + * of trusted executables. These are supposed to be security 147 + * audited to check parameters and validity on their own... 148 + */ 149 + if (strstr(cmd, AP_TRUSTED_DIRECTORY) == cmd) { 150 + if (strstr(cmd, "/../") != NULL) { 151 + log_err("invalid command (%s)\n", cmd); 152 + exit(104); 153 + } 154 + trusteddir = 1; 155 + goto TRUSTED_DIRECTORY; 156 + } 157 + 158 + /* 159 * Check for a leading '/' (absolute path) in the command to be executed, 160 * or attempts to back up out of the current directory, 161 * to protect against attacks. If any are 162 @@ -371,6 +439,7 @@ 163 userdir = 1; 164 } 165 166 +TRUSTED_DIRECTORY: 167 /* 168 * Error out if the target username is invalid. 169 */ 170 @@ -450,7 +519,7 @@ 122 171 * Error out if attempt is made to execute as root or as 123 172 * a UID less than AP_UID_MIN. Tsk tsk. … … 128 177 exit(107); 129 178 } 130 @@ -482,6 +5 33,19 @@179 @@ -482,6 +551,19 @@ 131 180 log_err("failed to setuid (%ld: %s)\n", uid, cmd); 132 181 exit(110); … … 148 197 /* 149 198 * Get the current working directory, as well as the proper 150 @@ -513,6 +575,13 @@ 151 exit(113); 199 @@ -504,6 +586,21 @@ 200 log_err("cannot get docroot information (%s)\n", target_homedir); 201 exit(112); 152 202 } 153 } 154 + size_t expected_len = strlen(target_homedir)+1+strlen(AP_USERDIR_SUFFIX)+1; 155 + char *expected = malloc(expected_len); 156 + snprintf(expected, expected_len, "%s/%s", target_homedir, AP_USERDIR_SUFFIX); 157 + if (strncmp(cwd, expected, expected_len-1) != 0) { 158 + log_err("error: file's directory not a subdirectory of user's home directory (%s, %s)\n", cwd, expected); 159 + exit(114); 160 + } 161 162 if ((strncmp(cwd, dwd, strlen(dwd))) != 0) { 163 log_err("command not in docroot (%s/%s)\n", cwd, cmd); 164 @@ -530,15 +598,17 @@ 203 + size_t expected_len = strlen(target_homedir)+1+strlen(AP_USERDIR_SUFFIX)+1; 204 + char *expected = malloc(expected_len); 205 + snprintf(expected, expected_len, "%s/%s", target_homedir, AP_USERDIR_SUFFIX); 206 + if (strncmp(cwd, expected, expected_len-1) != 0) { 207 + log_err("error: file's directory not a subdirectory of user's home directory (%s, %s)\n", cwd, expected); 208 + exit(114); 209 + } 210 + } 211 + else if (trusteddir) { 212 + if (((chdir(AP_TRUSTED_DIRECTORY)) != 0) || 213 + ((getcwd(dwd, AP_MAXPATH)) == NULL) | 214 + ((chdir(cwd)) != 0)) { 215 + log_err("cannot get docroot information (%s)\n", AP_TRUSTED_DIRECTORY); 216 + exit(112); 217 + } 218 } 219 else { 220 if (((chdir(AP_DOC_ROOT)) != 0) || 221 @@ -530,15 +627,17 @@ 165 222 /* 166 223 * Error out if cwd is writable by others. … … 181 238 exit(117); 182 239 } 183 @@ -546,10 +6 16,12 @@240 @@ -546,10 +645,12 @@ 184 241 /* 185 242 * Error out if the program is writable by others. … … 194 251 /* 195 252 * Error out if the file is setuid or setgid. 196 @@ -563,6 +6 35,7 @@253 @@ -563,6 +664,7 @@ 197 254 * Error out if the target name/group is different from 198 255 * the name/group of the cwd or the program. … … 202 259 (gid != dir_info.st_gid) || 203 260 (uid != prg_info.st_uid) || 204 @@ -574,6 +6 47,7 @@261 @@ -574,6 +676,7 @@ 205 262 prg_info.st_uid, prg_info.st_gid); 206 263 exit(120); … … 210 267 * Error out if the program is not executable for the user. 211 268 * Otherwise, she won't find any error in the logs except for 212 @@ -60 9,6 +683,13 @@213 log = NULL;269 @@ -606,6 +709,13 @@ 270 exit(122); 214 271 } 215 272
Note: See TracChangeset
for help on using the changeset viewer.