summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--httpd-2.4.1-suenable.patch18
-rw-r--r--httpd-2.4.2-iconlink.patch14
-rw-r--r--httpd-2.4.2-r1337344+.patch312
-rw-r--r--httpd-2.4.2-restart.patch2
-rw-r--r--httpd.spec39
5 files changed, 358 insertions, 27 deletions
diff --git a/httpd-2.4.1-suenable.patch b/httpd-2.4.1-suenable.patch
deleted file mode 100644
index f2287fd..0000000
--- a/httpd-2.4.1-suenable.patch
+++ /dev/null
@@ -1,18 +0,0 @@
-Removes setuid check because we are now using capabilities to ensure proper
-suexec rights.
-
-Upstream-status: vendor specific.
-
-diff --git a/os/unix/unixd.c b/os/unix/unixd.c
-index 85d5a98..1ee1dfe 100644
---- httpd-2.4.1/modules/arch/unix/mod_unixd.c.suenable
-+++ httpd-2.4.1/modules/arch/unix/mod_unixd.c
-@@ -300,7 +300,7 @@ unixd_pre_config(apr_pool_t *pconf, apr_
- ap_unixd_config.suexec_enabled = 0;
- if ((apr_stat(&wrapper, SUEXEC_BIN, APR_FINFO_NORM, ptemp))
- == APR_SUCCESS) {
-- if ((wrapper.protection & APR_USETID) && wrapper.user == 0
-+ if (wrapper.user == 0
- && (access(SUEXEC_BIN, R_OK|X_OK) == 0)) {
- ap_unixd_config.suexec_enabled = 1;
- ap_unixd_config.suexec_disabled_reason = "";
diff --git a/httpd-2.4.2-iconlink.patch b/httpd-2.4.2-iconlink.patch
new file mode 100644
index 0000000..4ef8dd9
--- /dev/null
+++ b/httpd-2.4.2-iconlink.patch
@@ -0,0 +1,14 @@
+
+Fix config for /icons/ dir to allow symlink to poweredby.png.
+
+--- httpd-2.4.2/docs/conf/extra/httpd-autoindex.conf.in.iconlink
++++ httpd-2.4.2/docs/conf/extra/httpd-autoindex.conf.in
+@@ -21,7 +21,7 @@ IndexOptions FancyIndexing HTMLTable Ver
+ Alias /icons/ "@exp_iconsdir@/"
+
+ <Directory "@exp_iconsdir@">
+- Options Indexes MultiViews
++ Options Indexes MultiViews FollowSymlinks
+ AllowOverride None
+ Require all granted
+ </Directory>
diff --git a/httpd-2.4.2-r1337344+.patch b/httpd-2.4.2-r1337344+.patch
new file mode 100644
index 0000000..d569dbf
--- /dev/null
+++ b/httpd-2.4.2-r1337344+.patch
@@ -0,0 +1,312 @@
+
+suexec enhancements:
+
+1) use syslog for logging
+2) use capabilities not setuid/setgid root binary
+
+http://svn.apache.org/viewvc?view=revision&revision=1337344
+http://svn.apache.org/viewvc?view=revision&revision=1341905
+http://svn.apache.org/viewvc?view=revision&revision=1342065
+http://svn.apache.org/viewvc?view=revision&revision=1341930
+
+--- httpd-2.4.2/configure.in.r1337344+
++++ httpd-2.4.2/configure.in
+@@ -700,7 +700,24 @@ APACHE_HELP_STRING(--with-suexec-gidmin,
+
+ AC_ARG_WITH(suexec-logfile,
+ APACHE_HELP_STRING(--with-suexec-logfile,Set the logfile),[
+- AC_DEFINE_UNQUOTED(AP_LOG_EXEC, "$withval", [SuExec log file] ) ] )
++ if test "x$withval" = "xyes"; then
++ AC_DEFINE_UNQUOTED(AP_LOG_EXEC, "$withval", [SuExec log file])
++ fi
++])
++
++AC_ARG_WITH(suexec-syslog,
++APACHE_HELP_STRING(--with-suexec-syslog,Set the logfile),[
++ if test $withval = "yes"; then
++ if test "x${with_suexec_logfile}" != "xno"; then
++ AC_MSG_NOTICE([hint: use "--without-suexec-logfile --with-suexec-syslog"])
++ AC_MSG_ERROR([suexec does not support both logging to file and syslog])
++ fi
++ AC_CHECK_FUNCS([vsyslog], [], [
++ AC_MSG_ERROR([cannot support syslog from suexec without vsyslog()])])
++ AC_DEFINE(AP_LOG_SYSLOG, 1, [SuExec log to syslog])
++ fi
++])
++
+
+ AC_ARG_WITH(suexec-safepath,
+ APACHE_HELP_STRING(--with-suexec-safepath,Set the safepath),[
+@@ -710,6 +727,15 @@ AC_ARG_WITH(suexec-umask,
+ APACHE_HELP_STRING(--with-suexec-umask,umask for suexec'd process),[
+ AC_DEFINE_UNQUOTED(AP_SUEXEC_UMASK, 0$withval, [umask for suexec'd process] ) ] )
+
++INSTALL_SUEXEC=setuid
++AC_ARG_ENABLE([suexec-capabilities],
++APACHE_HELP_STRING(--enable-suexec-capabilities,Use Linux capability bits not setuid root suexec), [
++INSTALL_SUEXEC=caps
++AC_DEFINE(AP_SUEXEC_CAPABILITIES, 1,
++ [Enable if suexec is installed with Linux capabilities, not setuid])
++])
++APACHE_SUBST(INSTALL_SUEXEC)
++
+ dnl APR should go after the other libs, so the right symbols can be picked up
+ if test x${apu_found} != xobsolete; then
+ AP_LIBS="$AP_LIBS `$apu_config --avoid-ldap --link-libtool`"
+--- httpd-2.4.2/docs/manual/suexec.html.en.r1337344+
++++ httpd-2.4.2/docs/manual/suexec.html.en
+@@ -369,6 +369,21 @@
+ together with the <code>--enable-suexec</code> option to let
+ APACI accept your request for using the suEXEC feature.</dd>
+
++ <dt><code>--enable-suexec-capabilities</code></dt>
++
++ <dd><strong>Linux specific:</strong> Normally,
++ the <code>suexec</code> binary is installed "setuid/setgid
++ root", which allows it to run with the full privileges of the
++ root user. If this option is used, the <code>suexec</code>
++ binary will instead be installed with only the setuid/setgid
++ "capability" bits set, which is the subset of full root
++ priviliges required for suexec operation. Note that
++ the <code>suexec</code> binary may not be able to write to a log
++ file in this mode; it is recommended that the
++ <code>--with-suexec-syslog --without-suexec-logfile</code>
++ options are used in conjunction with this mode, so that syslog
++ logging is used instead.</dd>
++
+ <dt><code>--with-suexec-bin=<em>PATH</em></code></dt>
+
+ <dd>The path to the <code>suexec</code> binary must be hard-coded
+@@ -430,6 +445,12 @@
+ "<code>suexec_log</code>" and located in your standard logfile
+ directory (<code>--logfiledir</code>).</dd>
+
++ <dt><code>--with-suexec-syslog</code></dt>
++
++ <dd>If defined, suexec will log notices and errors to syslog
++ instead of a logfile. This option must be combined
++ with <code>--without-suexec-logfile</code>.</dd>
++
+ <dt><code>--with-suexec-safepath=<em>PATH</em></code></dt>
+
+ <dd>Define a safe PATH environment to pass to CGI
+@@ -546,9 +567,12 @@
+
+ <p>The suEXEC wrapper will write log information
+ to the file defined with the <code>--with-suexec-logfile</code>
+- option as indicated above. If you feel you have configured and
+- installed the wrapper properly, have a look at this log and the
+- error_log for the server to see where you may have gone astray.</p>
++ option as indicated above, or to syslog if <code>--with-suexec-syslog</code>
++ is used. If you feel you have configured and
++ installed the wrapper properly, have a look at the log and the
++ error_log for the server to see where you may have gone astray.
++ The output of <code>"suexec -V"</code> will show the options
++ used to compile suexec, if using a binary distribution.</p>
+
+ </div><div class="top"><a href="#page-header"><img alt="top" src="./images/up.gif" /></a></div>
+ <div class="section">
+@@ -615,4 +639,4 @@
+ </div><div id="footer">
+ <p class="apache">Copyright 2012 The Apache Software Foundation.<br />Licensed under the <a href="http://www.apache.org/licenses/LICENSE-2.0">Apache License, Version 2.0</a>.</p>
+ <p class="menu"><a href="./mod/">Modules</a> | <a href="./mod/directives.html">Directives</a> | <a href="./faq/">FAQ</a> | <a href="./glossary.html">Glossary</a> | <a href="./sitemap.html">Sitemap</a></p></div>
+-</body></html>
+\ No newline at end of file
++</body></html>
+--- httpd-2.4.2/Makefile.in.r1337344+
++++ httpd-2.4.2/Makefile.in
+@@ -236,11 +236,22 @@ install-man:
+ cd $(DESTDIR)$(manualdir) && find . -name ".svn" -type d -print | xargs rm -rf 2>/dev/null || true; \
+ fi
+
+-install-suexec:
++install-suexec: install-suexec-binary install-suexec-$(INSTALL_SUEXEC)
++
++install-suexec-binary:
+ @if test -f $(builddir)/support/suexec; then \
+ test -d $(DESTDIR)$(sbindir) || $(MKINSTALLDIRS) $(DESTDIR)$(sbindir); \
+ $(INSTALL_PROGRAM) $(top_builddir)/support/suexec $(DESTDIR)$(sbindir); \
+- chmod 4755 $(DESTDIR)$(sbindir)/suexec; \
++ fi
++
++install-suexec-setuid:
++ @if test -f $(builddir)/support/suexec; then \
++ chmod 4755 $(DESTDIR)$(sbindir)/suexec; \
++ fi
++
++install-suexec-caps:
++ @if test -f $(builddir)/support/suexec; then \
++ setcap 'cap_setuid,cap_setgid+pe' $(DESTDIR)$(sbindir)/suexec; \
+ fi
+
+ suexec:
+--- httpd-2.4.2/modules/arch/unix/mod_unixd.c.r1337344+
++++ httpd-2.4.2/modules/arch/unix/mod_unixd.c
+@@ -284,6 +284,13 @@ unixd_set_suexec(cmd_parms *cmd, void *d
+ return NULL;
+ }
+
++#ifdef AP_SUEXEC_CAPABILITIES
++/* If suexec is using capabilities, don't test for the setuid bit. */
++#define SETUID_TEST(finfo) (1)
++#else
++#define SETUID_TEST(finfo) (finfo.protection & APR_USETID)
++#endif
++
+ static int
+ unixd_pre_config(apr_pool_t *pconf, apr_pool_t *plog,
+ apr_pool_t *ptemp)
+@@ -300,7 +307,7 @@ unixd_pre_config(apr_pool_t *pconf, apr_
+ ap_unixd_config.suexec_enabled = 0;
+ if ((apr_stat(&wrapper, SUEXEC_BIN, APR_FINFO_NORM, ptemp))
+ == APR_SUCCESS) {
+- if ((wrapper.protection & APR_USETID) && wrapper.user == 0
++ if (SETUID_TEST(wrapper) && wrapper.user == 0
+ && (access(SUEXEC_BIN, R_OK|X_OK) == 0)) {
+ ap_unixd_config.suexec_enabled = 1;
+ ap_unixd_config.suexec_disabled_reason = "";
+--- httpd-2.4.2/support/suexec.c.r1337344+
++++ httpd-2.4.2/support/suexec.c
+@@ -58,6 +58,10 @@
+ #include <grp.h>
+ #endif
+
++#ifdef AP_LOG_SYSLOG
++#include <syslog.h>
++#endif
++
+ #if defined(PATH_MAX)
+ #define AP_MAXPATH PATH_MAX
+ #elif defined(MAXPATHLEN)
+@@ -69,7 +73,12 @@
+ #define AP_ENVBUF 256
+
+ extern char **environ;
++
++#ifdef AP_LOG_SYSLOG
++static int log_open;
++#else
+ static FILE *log = NULL;
++#endif
+
+ static const char *const safe_env_lst[] =
+ {
+@@ -128,10 +137,23 @@ static const char *const safe_env_lst[]
+ NULL
+ };
+
++static void log_err(const char *fmt,...)
++ __attribute__((format(printf,1,2)));
++static void log_no_err(const char *fmt,...)
++ __attribute__((format(printf,1,2)));
++static void err_output(int is_error, const char *fmt, va_list ap)
++ __attribute__((format(printf,2,0)));
+
+ static void err_output(int is_error, const char *fmt, va_list ap)
+ {
+-#ifdef AP_LOG_EXEC
++#if defined(AP_LOG_SYSLOG)
++ if (!log_open) {
++ openlog("suexec", LOG_PID, LOG_DAEMON);
++ log_open = 1;
++ }
++
++ vsyslog(is_error ? LOG_ERR : LOG_INFO, fmt, ap);
++#elif defined(AP_LOG_EXEC)
+ time_t timevar;
+ struct tm *lt;
+
+@@ -263,7 +285,7 @@ int main(int argc, char *argv[])
+ */
+ uid = getuid();
+ if ((pw = getpwuid(uid)) == NULL) {
+- log_err("crit: invalid uid: (%ld)\n", uid);
++ log_err("crit: invalid uid: (%lu)\n", (unsigned long)uid);
+ exit(102);
+ }
+ /*
+@@ -289,7 +311,9 @@ int main(int argc, char *argv[])
+ #ifdef AP_HTTPD_USER
+ fprintf(stderr, " -D AP_HTTPD_USER=\"%s\"\n", AP_HTTPD_USER);
+ #endif
+-#ifdef AP_LOG_EXEC
++#if defined(AP_LOG_SYSLOG)
++ fprintf(stderr, " -D AP_LOG_SYSLOG\n");
++#elif defined(AP_LOG_EXEC)
+ fprintf(stderr, " -D AP_LOG_EXEC=\"%s\"\n", AP_LOG_EXEC);
+ #endif
+ #ifdef AP_SAFE_PATH
+@@ -440,7 +464,7 @@ int main(int argc, char *argv[])
+ * a UID less than AP_UID_MIN. Tsk tsk.
+ */
+ if ((uid == 0) || (uid < AP_UID_MIN)) {
+- log_err("cannot run as forbidden uid (%d/%s)\n", uid, cmd);
++ log_err("cannot run as forbidden uid (%lu/%s)\n", (unsigned long)uid, cmd);
+ exit(107);
+ }
+
+@@ -449,7 +473,7 @@ int main(int argc, char *argv[])
+ * or as a GID less than AP_GID_MIN. Tsk tsk.
+ */
+ if ((gid == 0) || (gid < AP_GID_MIN)) {
+- log_err("cannot run as forbidden gid (%d/%s)\n", gid, cmd);
++ log_err("cannot run as forbidden gid (%lu/%s)\n", (unsigned long)gid, cmd);
+ exit(108);
+ }
+
+@@ -460,7 +484,7 @@ int main(int argc, char *argv[])
+ * and setgid() to the target group. If unsuccessful, error out.
+ */
+ if (((setgid(gid)) != 0) || (initgroups(actual_uname, gid) != 0)) {
+- log_err("failed to setgid (%ld: %s)\n", gid, cmd);
++ log_err("failed to setgid (%lu: %s)\n", (unsigned long)gid, cmd);
+ exit(109);
+ }
+
+@@ -468,7 +492,7 @@ int main(int argc, char *argv[])
+ * setuid() to the target user. Error out on fail.
+ */
+ if ((setuid(uid)) != 0) {
+- log_err("failed to setuid (%ld: %s)\n", uid, cmd);
++ log_err("failed to setuid (%lu: %s)\n", (unsigned long)uid, cmd);
+ exit(110);
+ }
+
+@@ -556,11 +580,11 @@ int main(int argc, char *argv[])
+ (gid != dir_info.st_gid) ||
+ (uid != prg_info.st_uid) ||
+ (gid != prg_info.st_gid)) {
+- log_err("target uid/gid (%ld/%ld) mismatch "
+- "with directory (%ld/%ld) or program (%ld/%ld)\n",
+- uid, gid,
+- dir_info.st_uid, dir_info.st_gid,
+- prg_info.st_uid, prg_info.st_gid);
++ log_err("target uid/gid (%lu/%lu) mismatch "
++ "with directory (%lu/%lu) or program (%lu/%lu)\n",
++ (unsigned long)uid, (unsigned long)gid,
++ (unsigned long)dir_info.st_uid, (unsigned long)dir_info.st_gid,
++ (unsigned long)prg_info.st_uid, (unsigned long)prg_info.st_gid);
+ exit(120);
+ }
+ /*
+@@ -585,6 +609,12 @@ int main(int argc, char *argv[])
+ #endif /* AP_SUEXEC_UMASK */
+
+ /* Be sure to close the log file so the CGI can't mess with it. */
++#ifdef AP_LOG_SYSLOG
++ if (log_open) {
++ closelog();
++ log_open = 0;
++ }
++#else
+ if (log != NULL) {
+ #if APR_HAVE_FCNTL_H
+ /*
+@@ -606,6 +636,7 @@ int main(int argc, char *argv[])
+ log = NULL;
+ #endif
+ }
++#endif
+
+ /*
+ * Execute the command, replacing our image with its own.
diff --git a/httpd-2.4.2-restart.patch b/httpd-2.4.2-restart.patch
index 07ff452..b4f9942 100644
--- a/httpd-2.4.2-restart.patch
+++ b/httpd-2.4.2-restart.patch
@@ -1,6 +1,8 @@
https://bugzilla.redhat.com/show_bug.cgi?id=814645
+http://svn.apache.org/viewvc?rev=1331847&view=rev
+
--- httpd-2.4.2/server/main.c.restart
+++ httpd-2.4.2/server/main.c
@@ -671,6 +671,11 @@ int main(int argc, const char * const ar
diff --git a/httpd.spec b/httpd.spec
index 4b840be..baed854 100644
--- a/httpd.spec
+++ b/httpd.spec
@@ -8,7 +8,7 @@
Summary: Apache HTTP Server
Name: httpd
Version: 2.4.2
-Release: 7%{?dist}
+Release: 11%{?dist}
URL: http://httpd.apache.org/
Source0: http://www.apache.org/dist/httpd/httpd-%{version}.tar.bz2
Source1: index.html
@@ -43,7 +43,8 @@ Patch20: httpd-2.0.48-release.patch
Patch23: httpd-2.4.1-export.patch
Patch24: httpd-2.4.1-corelimit.patch
Patch25: httpd-2.4.1-selinux.patch
-Patch26: httpd-2.4.1-suenable.patch
+Patch26: httpd-2.4.2-r1337344+.patch
+Patch27: httpd-2.4.2-iconlink.patch
# Bug fixes
Patch40: httpd-2.4.2-restart.patch
Patch41: httpd-2.4.2-r1327036+.patch
@@ -153,7 +154,8 @@ authentication to the Apache HTTP Server.
%patch23 -p1 -b .export
%patch24 -p1 -b .corelimit
%patch25 -p1 -b .selinux
-%patch26 -p1 -b .suenable
+%patch26 -p1 -b .r1337344+
+%patch27 -p1 -b .iconlink
%patch40 -p1 -b .restart
%patch41 -p1 -b .r1327036+
@@ -163,6 +165,9 @@ authentication to the Apache HTTP Server.
# Patch in vendor/release string
sed "s/@RELEASE@/%{vstring}/" < %{PATCH20} | patch -p1
+# Prevent use of setcap in "install-suexec-caps" target.
+sed -i '/suexec/s,setcap ,echo Skipping setcap for ,' Makefile.in
+
# Safety check: prevent build if defined MMN does not equal upstream MMN.
vmmn=`echo MODULE_MAGIC_NUMBER_MAJOR | cpp -include include/ap_mmn.h | sed -n '/^2/p'`
if test "x${vmmn}" != "x%{mmn}"; then
@@ -207,9 +212,11 @@ export LYNX_PATH=/usr/bin/links
--enable-mpms-shared=all \
--with-apr=%{_prefix} --with-apr-util=%{_prefix} \
--enable-suexec --with-suexec \
+ --enable-suexec-capabilities \
--with-suexec-caller=%{suexec_caller} \
--with-suexec-docroot=%{docroot} \
- --with-suexec-logfile=%{_localstatedir}/log/httpd/suexec.log \
+ --without-suexec-logfile \
+ --with-suexec-syslog \
--with-suexec-bin=%{_sbindir}/suexec \
--with-suexec-uidmin=500 --with-suexec-gidmin=100 \
--enable-pie \
@@ -372,9 +379,6 @@ rm -vf \
rm -rf $RPM_BUILD_ROOT/etc/httpd/conf/{original,extra}
-# Make suexec a+rw so it can be stripped. %%files lists real permissions
-chmod 755 $RPM_BUILD_ROOT%{_sbindir}/suexec
-
%pre
# Add the "apache" user
/usr/sbin/useradd -c "Apache" -u 48 \
@@ -485,8 +489,7 @@ rm -rf $RPM_BUILD_ROOT
%{_sbindir}/fcgistarter
%{_sbindir}/apachectl
%{_sbindir}/rotatelogs
-# cap_dac_override needed to write to /var/log/httpd
-%caps(cap_setuid,cap_setgid,cap_dac_override+pe) %attr(510,root,%{suexec_caller}) %{_sbindir}/suexec
+%caps(cap_setuid,cap_setgid+pe) %attr(510,root,%{suexec_caller}) %{_sbindir}/suexec
%dir %{_libdir}/httpd
%dir %{_libdir}/httpd/modules
@@ -562,6 +565,24 @@ rm -rf $RPM_BUILD_ROOT
%{_sysconfdir}/rpm/macros.httpd
%changelog
+* Thu May 24 2012 Remi Collet <RPMS@FamilleCollet.com> - 2.4.2-11
+- sync with rawhide, rebuild for remi repo
+
+* Thu May 24 2012 Joe Orton <jorton@redhat.com> - 2.4.2-11
+- really fix autoindex.conf (thanks to remi@)
+
+* Thu May 24 2012 Joe Orton <jorton@redhat.com> - 2.4.2-10
+- fix autoindex.conf to allow symlink to poweredby.png
+
+* Wed May 23 2012 Joe Orton <jorton@redhat.com> - 2.4.2-9
+- suexec: use upstream version of patch for capability bit support
+
+* Wed May 23 2012 Remi Collet <RPMS@FamilleCollet.com> - 2.4.2-8
+- sync with rawhide, rebuild for remi repo
+
+* Wed May 23 2012 Joe Orton <jorton@redhat.com> - 2.4.2-8
+- suexec: use syslog rather than suexec.log, drop dac_override capability
+
* Tue May 1 2012 Remi Collet <RPMS@FamilleCollet.com> - 2.4.2-7
- sync with rawhide, rebuild for remi repo