source: branches/fc20-dev/server/fedora/specs/httpd.spec.patch @ 2551

Last change on this file since 2551 was 2551, checked in by andersk, 10 years ago
Put back CAP_DAC_OVERRIDE on suexec so it can write to /var/log/httpd In the future, though, we may want to investigate following Fedora’s switch to syslog.
File size: 2.8 KB
RevLine 
[2551]1--- httpd.spec.orig     2014-07-23 06:24:15.000000000 -0400
2+++ httpd.spec  2014-07-27 17:38:45.622914152 -0400
[2525]3@@ -15,7 +15,7 @@
[926]4 Summary: Apache HTTP Server
5 Name: httpd
[2543]6 Version: 2.4.10
7-Release: 1%{?dist}
8+Release: 1%{?dist}.scripts.%{scriptsversion}
[926]9 URL: http://httpd.apache.org/
[1738]10 Source0: http://www.apache.org/dist/httpd/httpd-%{version}.tar.bz2
[926]11 Source1: index.html
[2551]12@@ -84,6 +84,12 @@
[2431]13 Requires(post): systemd-units
[2525]14 Conflicts: apr < 1.5.0-1
[2431]15 
16+Provides: scripts-httpd = %{version}-%{release}
17+Patch1001: httpd-suexec-scripts.patch
18+Patch1002: httpd-mod_status-security.patch
19+Patch1003: httpd-304s.patch
20+Patch1004: httpd-fixup-vhost.patch
21+
22 %description
23 The Apache HTTP Server is a powerful, efficient, and extensible
24 web server.
[2551]25@@ -94,6 +100,7 @@
[2431]26 Obsoletes: secureweb-devel, apache-devel, stronghold-apache-devel
27 Requires: apr-devel, apr-util-devel, pkgconfig
28 Requires: httpd = %{version}-%{release}
29+Provides: scripts-httpd-devel = %{version}-%{release}
30 
31 %description devel
32 The httpd-devel package contains the APXS binary and other files
[2551]33@@ -132,6 +139,7 @@
[2431]34 Requires(post): openssl, /bin/cat
35 Requires(pre): httpd
36 Requires: httpd = 0:%{version}-%{release}, httpd-mmn = %{mmnisa}
37+Provides: scripts-mod_ssl
38 Obsoletes: stronghold-mod_ssl
39 
40 %description -n mod_ssl
[2551]41@@ -196,6 +204,11 @@
[2431]42 # Prevent use of setcap in "install-suexec-caps" target.
43 sed -i '/suexec/s,setcap ,echo Skipping setcap for ,' Makefile.in
44 
45+%patch1001 -p1 -b .suexec-scripts
46+%patch1002 -p1 -b .mod_status-security
47+%patch1003 -p1 -b .scripts-304s
48+%patch1004 -p1 -b .fixup-vhost
49+
50 # Safety check: prevent build if defined MMN does not equal upstream MMN.
51 vmmn=`echo MODULE_MAGIC_NUMBER_MAJOR | cpp -include include/ap_mmn.h | sed -n '/^2/p'`
52 if test "x${vmmn}" != "x%{mmn}"; then
[2551]53@@ -242,11 +255,13 @@
[2431]54        --enable-suexec --with-suexec \
55         --enable-suexec-capabilities \
56        --with-suexec-caller=%{suexec_caller} \
57-       --with-suexec-docroot=%{docroot} \
58-       --without-suexec-logfile \
59-        --with-suexec-syslog \
60+       --with-suexec-docroot=/ \
61+       --with-suexec-userdir=web_scripts \
62+       --with-suexec-trusteddir=/usr/libexec/scripts-trusted \
63+       --with-suexec-logfile=%{_localstatedir}/log/httpd/suexec.log \
64+        --without-suexec-syslog \
65        --with-suexec-bin=%{_sbindir}/suexec \
66-       --with-suexec-uidmin=500 --with-suexec-gidmin=100 \
67+       --with-suexec-uidmin=50 --with-suexec-gidmin=50 \
68         --enable-pie \
69         --with-pcre \
70         --enable-mods-shared=all \
[2551]71@@ -542,7 +557,8 @@
72 %{_sbindir}/fcgistarter
73 %{_sbindir}/apachectl
74 %{_sbindir}/rotatelogs
75-%caps(cap_setuid,cap_setgid+pe) %attr(510,root,%{suexec_caller}) %{_sbindir}/suexec
76+# cap_dac_override needed to write to /var/log/httpd
77+%caps(cap_setuid,cap_setgid,cap_dac_override+pe) %attr(510,root,%{suexec_caller}) %{_sbindir}/suexec
78 
79 %dir %{_libdir}/httpd
80 %dir %{_libdir}/httpd/modules
Note: See TracBrowser for help on using the repository browser.