source:
server/common/patches/httpd-suexec-scripts.patch
@
403
Last change on this file since 403 was 403, checked in by presbrey, 17 years ago | |
---|---|
File size: 6.0 KB |
-
httpd-2.2.2/support/Makefile.in
# scripts.mit.edu httpd suexec patch # Copyright (C) 2006, 2007 Jeff Arnold <jbarnold@mit.edu>, Joe Presbrey <presbrey@mit.edu>, Anders Kaseorg <andersk@mit.edu> # # This program is free software; you can redistribute it and/or # modify it under the terms of the GNU General Public License # as published by the Free Software Foundation; either version 2 # of the License, or (at your option) any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program; if not, write to the Free Software # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA # # See /COPYRIGHT in this repository for more information. #
old new 60 60 61 61 suexec_OBJECTS = suexec.lo 62 62 suexec: $(suexec_OBJECTS) 63 $(LINK) $(suexec_OBJECTS)63 $(LINK) -lselinux $(suexec_OBJECTS) 64 64 65 65 htcacheclean_OBJECTS = htcacheclean.lo 66 66 htcacheclean: $(htcacheclean_OBJECTS) -
httpd-2.2.2/support/suexec.c
old new 30 30 * 31 31 */ 32 32 33 #define STATIC_CAT_PATH "/usr/local/bin/static-cat" 34 33 35 #include "apr.h" 34 36 #include "ap_config.h" 35 37 #include "suexec.h" … … 46 48 #include <stdio.h> 47 49 #include <stdarg.h> 48 50 #include <stdlib.h> 51 #include <selinux/selinux.h> 49 52 50 53 #ifdef HAVE_PWD_H 51 54 #include <pwd.h> … … 95 98 { 96 99 /* variable name starts with */ 97 100 "HTTP_", 101 "HTTPS_", 98 102 "SSL_", 103 "PERL", 104 "PYTHON", 99 105 100 106 /* variable name is */ … … 140 146 "UNIQUE_ID=", 141 147 "USER_NAME=", 142 148 "TZ=", 149 "PHPRC=", 143 150 NULL 144 151 }; 145 152 … … 245 252 environ = cleanenv; 246 253 } 247 254 255 static const char *static_extensions[] = { 256 "html", 257 "css", 258 "gif", 259 "jpg", 260 "png", 261 "htm", 262 "jpeg", 263 "js", 264 "ico", 265 "xml", 266 "xsl", 267 "tiff", 268 "tif", 269 "tgz", 270 "tar", 271 "jar", 272 "zip", 273 "pdf", 274 "ps", 275 "doc", 276 "xls", 277 "ppt", 278 "swf", 279 "mp3", 280 "mov", 281 "wmv", 282 "mpg", 283 "mpeg", 284 "avi", 285 "il", 286 "JPG", 287 "xhtml", 288 NULL 289 }; 290 291 static int is_static_extension(const char *file) 292 { 293 const char *extension = strrchr(file, '.'); 294 const char **p; 295 if (extension == NULL) return 0; 296 for (p = static_extensions; *p; ++p) { 297 if (strcmp(extension + 1, *p) == 0) return 1; 298 } 299 return 0; 300 } 301 248 302 int main(int argc, char *argv[]) 249 303 { 250 304 int userdir = 0; /* ~userdir flag */ … … 450 504 * Error out if attempt is made to execute as root or as 451 505 * a UID less than AP_UID_MIN. Tsk tsk. 452 506 */ 453 if ((uid == 0) || (uid < AP_UID_MIN )) {507 if ((uid == 0) || (uid < AP_UID_MIN && uid != 102)) { 454 508 log_err("cannot run as forbidden uid (%d/%s)\n", uid, cmd); 455 509 exit(107); 456 510 } … … 482 536 log_err("failed to setuid (%ld: %s)\n", uid, cmd); 483 537 exit(110); 484 538 } 539 if (is_selinux_enabled()) { 540 if (uid == 102) { 541 if (setexeccon("system_u:system_r:signup_t:s0") == -1) { 542 log_err("failed to setexeccon (%ld: %s) to signup_t\n", uid, cmd); 543 exit(201); 544 } 545 } else { 546 if (setexeccon("user_u:user_r:user_t:s0") == -1) { 547 log_err("failed to setexeccon (%ld: %s) to user_t\n", uid, cmd); 548 exit(202); 549 } 550 } 551 } 485 552 486 553 /* 487 554 * Get the current working directory, as well as the proper … … 513 580 exit(113); 514 581 } 515 582 } 583 size_t expected_len = strlen(target_homedir)+1+strlen(AP_USERDIR_SUFFIX)+1; 584 char *expected = malloc(expected_len); 585 snprintf(expected, expected_len, "%s/%s", target_homedir, AP_USERDIR_SUFFIX); 586 if (strncmp(cwd, expected, expected_len-1) != 0) { 587 log_err("error: file's directory not a subdirectory of user's home directory (%s, %s)\n", cwd, expected); 588 exit(114); 589 } 516 590 517 591 if ((strncmp(cwd, dwd, strlen(dwd))) != 0) { 518 592 log_err("command not in docroot (%s/%s)\n", cwd, cmd); … … 530 604 /* 531 605 * Error out if cwd is writable by others. 532 606 */ 607 #if 0 533 608 if ((dir_info.st_mode & S_IWOTH) || (dir_info.st_mode & S_IWGRP)) { 534 609 log_err("directory is writable by others: (%s)\n", cwd); 535 610 exit(116); 536 611 } 612 #endif 537 613 538 614 /* 539 615 * Error out if we cannot stat the program. 540 616 */ 541 if (((lstat(cmd, &prg_info)) != 0) || (S_ISLNK(prg_info.st_mode))) {617 if (((lstat(cmd, &prg_info)) != 0) /*|| (S_ISLNK(prg_info.st_mode))*/) { 542 618 log_err("cannot stat program: (%s)\n", cmd); 543 619 exit(117); 544 620 } … … 546 622 /* 547 623 * Error out if the program is writable by others. 548 624 */ 625 #if 0 549 626 if ((prg_info.st_mode & S_IWOTH) || (prg_info.st_mode & S_IWGRP)) { 550 627 log_err("file is writable by others: (%s/%s)\n", cwd, cmd); 551 628 exit(118); 552 629 } 630 #endif 553 631 554 632 /* 555 633 * Error out if the file is setuid or setgid. … … 563 641 * Error out if the target name/group is different from 564 642 * the name/group of the cwd or the program. 565 643 */ 644 #if 0 566 645 if ((uid != dir_info.st_uid) || 567 646 (gid != dir_info.st_gid) || 568 647 (uid != prg_info.st_uid) || … … 574 653 prg_info.st_uid, prg_info.st_gid); 575 654 exit(120); 576 655 } 656 #endif 577 657 /* 578 658 * Error out if the program is not executable for the user. 579 659 * Otherwise, she won't find any error in the logs except for … … 609 689 log = NULL; 610 690 } 611 691 692 if (is_static_extension(cmd)) { 693 argv[2] = STATIC_CAT_PATH; 694 execv(STATIC_CAT_PATH, &argv[2]); 695 log_err("(%d)%s: static_cat exec failed (%s)\n", errno, strerror(errno), argv[2]); 696 exit(255); 697 } 698 612 699 /* 613 700 * Execute the command, replacing our image with its own. 614 701 */
Note: See TracBrowser
for help on using the repository browser.