source:
server/common/patches/httpd-suexec-scripts.patch
@
  113
        
        | Last change on this file since 113 was 113, checked in by presbrey, 19 years ago | |
|---|---|
| File size: 4.5 KB | |
- 
        httpd-2.2.2/support/Makefile.in# scripts.mit.edu httpd suexec patch # Copyright (C) 2006 Jeff Arnold <jbarnold@mit.edu>, Joe Presbrey <presbrey@mit.edu> # # This program is free software; you can redistribute it and/or # modify it under the terms of the GNU General Public License # as published by the Free Software Foundation; either version 2 # of the License, or (at your option) any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program; if not, write to the Free Software # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA # # See /COPYRIGHT in this repository for more information. # old new 60 60 61 61 suexec_OBJECTS = suexec.lo 62 62 suexec: $(suexec_OBJECTS) 63 $(LINK) $(suexec_OBJECTS)63 $(LINK) -lselinux $(suexec_OBJECTS) 64 64 65 65 htcacheclean_OBJECTS = htcacheclean.lo 66 66 htcacheclean: $(htcacheclean_OBJECTS) 
- 
        httpd-2.2.2/support/suexec.cold new 46 46 #include <stdio.h> 47 47 #include <stdarg.h> 48 48 #include <stdlib.h> 49 #include <selinux/selinux.h> 49 50 50 51 #ifdef HAVE_PWD_H 51 52 #include <pwd.h> … … 95 96 { 96 97 /* variable name starts with */ 97 98 "HTTP_", 99 "HTTPS_", 98 100 "SSL_", 99 101 100 102 /* variable name is */ … … 140 142 "UNIQUE_ID=", 141 143 "USER_NAME=", 142 144 "TZ=", 145 "PHPRC=", 143 146 NULL 144 147 }; 145 148 … … 450 453 * Error out if attempt is made to execute as root or as 451 454 * a UID less than AP_UID_MIN. Tsk tsk. 452 455 */ 453 if ((uid == 0) || (uid < AP_UID_MIN )) {456 if ((uid == 0) || (uid < AP_UID_MIN && uid != 102)) { 454 457 log_err("cannot run as forbidden uid (%d/%s)\n", uid, cmd); 455 458 exit(107); 456 459 } … … 482 485 log_err("failed to setuid (%ld: %s)\n", uid, cmd); 483 486 exit(110); 484 487 } 488 if (uid == 102) { 489 if (setexeccon("system_u:system_r:signup_t:s0") == -1) { 490 log_err("failed to setexeccon (%ld: %s) to signup_t\n"); 491 exit(201); 492 } 493 } else { 494 if (setexeccon("user_u:user_r:user_t:s0") == -1) { 495 log_err("failed to setexeccon (%ld: %s) to user_t\n"); 496 exit(202); 497 } 498 } 485 499 486 500 /* 487 501 * Get the current working directory, as well as the proper … … 513 527 exit(113); 514 528 } 515 529 } 530 char *expected = malloc(strlen(target_homedir)+strlen(AP_USERDIR_SUFFIX)+1); 531 sprintf(expected, "%s/%s", target_homedir, AP_USERDIR_SUFFIX); 532 if ((strncmp(cwd, expected, strlen(expected))) != 0) { 533 log_err("error: file's directory not a subdirectory of user's home directory (%s, %s)\n", cwd, expected); 534 exit(114); 535 } 516 536 517 537 if ((strncmp(cwd, dwd, strlen(dwd))) != 0) { 518 538 log_err("command not in docroot (%s/%s)\n", cwd, cmd); … … 530 550 /* 531 551 * Error out if cwd is writable by others. 532 552 */ 553 #if 0 533 554 if ((dir_info.st_mode & S_IWOTH) || (dir_info.st_mode & S_IWGRP)) { 534 555 log_err("directory is writable by others: (%s)\n", cwd); 535 556 exit(116); 536 557 } 558 #endif 537 559 538 560 /* 539 561 * Error out if we cannot stat the program. 540 562 */ 541 if (((lstat(cmd, &prg_info)) != 0) || (S_ISLNK(prg_info.st_mode))) {563 if (((lstat(cmd, &prg_info)) != 0) /*|| (S_ISLNK(prg_info.st_mode))*/) { 542 564 log_err("cannot stat program: (%s)\n", cmd); 543 565 exit(117); 544 566 } … … 546 568 /* 547 569 * Error out if the program is writable by others. 548 570 */ 571 #if 0 549 572 if ((prg_info.st_mode & S_IWOTH) || (prg_info.st_mode & S_IWGRP)) { 550 573 log_err("file is writable by others: (%s/%s)\n", cwd, cmd); 551 574 exit(118); 552 575 } 576 #endif 553 577 554 578 /* 555 579 * Error out if the file is setuid or setgid. … … 563 587 * Error out if the target name/group is different from 564 588 * the name/group of the cwd or the program. 565 589 */ 590 #if 0 566 591 if ((uid != dir_info.st_uid) || 567 592 (gid != dir_info.st_gid) || 568 593 (uid != prg_info.st_uid) || … … 574 599 prg_info.st_uid, prg_info.st_gid); 575 600 exit(120); 576 601 } 602 #endif 577 603 /* 578 604 * Error out if the program is not executable for the user. 579 605 * Otherwise, she won't find any error in the logs except for 
Note: See TracBrowser
        for help on using the repository browser.
    
