diff options
-rw-r--r-- | httpd-2.4.1-suenable.patch | 18 | ||||
-rw-r--r-- | httpd-2.4.2-iconlink.patch | 14 | ||||
-rw-r--r-- | httpd-2.4.2-r1337344+.patch | 312 | ||||
-rw-r--r-- | httpd-2.4.2-restart.patch | 2 | ||||
-rw-r--r-- | httpd.spec | 39 |
5 files changed, 358 insertions, 27 deletions
diff --git a/httpd-2.4.1-suenable.patch b/httpd-2.4.1-suenable.patch deleted file mode 100644 index f2287fd..0000000 --- a/httpd-2.4.1-suenable.patch +++ /dev/null @@ -1,18 +0,0 @@ -Removes setuid check because we are now using capabilities to ensure proper -suexec rights. - -Upstream-status: vendor specific. - -diff --git a/os/unix/unixd.c b/os/unix/unixd.c -index 85d5a98..1ee1dfe 100644 ---- httpd-2.4.1/modules/arch/unix/mod_unixd.c.suenable -+++ httpd-2.4.1/modules/arch/unix/mod_unixd.c -@@ -300,7 +300,7 @@ unixd_pre_config(apr_pool_t *pconf, apr_ - ap_unixd_config.suexec_enabled = 0; - if ((apr_stat(&wrapper, SUEXEC_BIN, APR_FINFO_NORM, ptemp)) - == APR_SUCCESS) { -- if ((wrapper.protection & APR_USETID) && wrapper.user == 0 -+ if (wrapper.user == 0 - && (access(SUEXEC_BIN, R_OK|X_OK) == 0)) { - ap_unixd_config.suexec_enabled = 1; - ap_unixd_config.suexec_disabled_reason = ""; diff --git a/httpd-2.4.2-iconlink.patch b/httpd-2.4.2-iconlink.patch new file mode 100644 index 0000000..4ef8dd9 --- /dev/null +++ b/httpd-2.4.2-iconlink.patch @@ -0,0 +1,14 @@ + +Fix config for /icons/ dir to allow symlink to poweredby.png. + +--- httpd-2.4.2/docs/conf/extra/httpd-autoindex.conf.in.iconlink ++++ httpd-2.4.2/docs/conf/extra/httpd-autoindex.conf.in +@@ -21,7 +21,7 @@ IndexOptions FancyIndexing HTMLTable Ver + Alias /icons/ "@exp_iconsdir@/" + + <Directory "@exp_iconsdir@"> +- Options Indexes MultiViews ++ Options Indexes MultiViews FollowSymlinks + AllowOverride None + Require all granted + </Directory> diff --git a/httpd-2.4.2-r1337344+.patch b/httpd-2.4.2-r1337344+.patch new file mode 100644 index 0000000..d569dbf --- /dev/null +++ b/httpd-2.4.2-r1337344+.patch @@ -0,0 +1,312 @@ + +suexec enhancements: + +1) use syslog for logging +2) use capabilities not setuid/setgid root binary + +http://svn.apache.org/viewvc?view=revision&revision=1337344 +http://svn.apache.org/viewvc?view=revision&revision=1341905 +http://svn.apache.org/viewvc?view=revision&revision=1342065 +http://svn.apache.org/viewvc?view=revision&revision=1341930 + +--- httpd-2.4.2/configure.in.r1337344+ ++++ httpd-2.4.2/configure.in +@@ -700,7 +700,24 @@ APACHE_HELP_STRING(--with-suexec-gidmin, + + AC_ARG_WITH(suexec-logfile, + APACHE_HELP_STRING(--with-suexec-logfile,Set the logfile),[ +- AC_DEFINE_UNQUOTED(AP_LOG_EXEC, "$withval", [SuExec log file] ) ] ) ++ if test "x$withval" = "xyes"; then ++ AC_DEFINE_UNQUOTED(AP_LOG_EXEC, "$withval", [SuExec log file]) ++ fi ++]) ++ ++AC_ARG_WITH(suexec-syslog, ++APACHE_HELP_STRING(--with-suexec-syslog,Set the logfile),[ ++ if test $withval = "yes"; then ++ if test "x${with_suexec_logfile}" != "xno"; then ++ AC_MSG_NOTICE([hint: use "--without-suexec-logfile --with-suexec-syslog"]) ++ AC_MSG_ERROR([suexec does not support both logging to file and syslog]) ++ fi ++ AC_CHECK_FUNCS([vsyslog], [], [ ++ AC_MSG_ERROR([cannot support syslog from suexec without vsyslog()])]) ++ AC_DEFINE(AP_LOG_SYSLOG, 1, [SuExec log to syslog]) ++ fi ++]) ++ + + AC_ARG_WITH(suexec-safepath, + APACHE_HELP_STRING(--with-suexec-safepath,Set the safepath),[ +@@ -710,6 +727,15 @@ AC_ARG_WITH(suexec-umask, + APACHE_HELP_STRING(--with-suexec-umask,umask for suexec'd process),[ + AC_DEFINE_UNQUOTED(AP_SUEXEC_UMASK, 0$withval, [umask for suexec'd process] ) ] ) + ++INSTALL_SUEXEC=setuid ++AC_ARG_ENABLE([suexec-capabilities], ++APACHE_HELP_STRING(--enable-suexec-capabilities,Use Linux capability bits not setuid root suexec), [ ++INSTALL_SUEXEC=caps ++AC_DEFINE(AP_SUEXEC_CAPABILITIES, 1, ++ [Enable if suexec is installed with Linux capabilities, not setuid]) ++]) ++APACHE_SUBST(INSTALL_SUEXEC) ++ + dnl APR should go after the other libs, so the right symbols can be picked up + if test x${apu_found} != xobsolete; then + AP_LIBS="$AP_LIBS `$apu_config --avoid-ldap --link-libtool`" +--- httpd-2.4.2/docs/manual/suexec.html.en.r1337344+ ++++ httpd-2.4.2/docs/manual/suexec.html.en +@@ -369,6 +369,21 @@ + together with the <code>--enable-suexec</code> option to let + APACI accept your request for using the suEXEC feature.</dd> + ++ <dt><code>--enable-suexec-capabilities</code></dt> ++ ++ <dd><strong>Linux specific:</strong> Normally, ++ the <code>suexec</code> binary is installed "setuid/setgid ++ root", which allows it to run with the full privileges of the ++ root user. If this option is used, the <code>suexec</code> ++ binary will instead be installed with only the setuid/setgid ++ "capability" bits set, which is the subset of full root ++ priviliges required for suexec operation. Note that ++ the <code>suexec</code> binary may not be able to write to a log ++ file in this mode; it is recommended that the ++ <code>--with-suexec-syslog --without-suexec-logfile</code> ++ options are used in conjunction with this mode, so that syslog ++ logging is used instead.</dd> ++ + <dt><code>--with-suexec-bin=<em>PATH</em></code></dt> + + <dd>The path to the <code>suexec</code> binary must be hard-coded +@@ -430,6 +445,12 @@ + "<code>suexec_log</code>" and located in your standard logfile + directory (<code>--logfiledir</code>).</dd> + ++ <dt><code>--with-suexec-syslog</code></dt> ++ ++ <dd>If defined, suexec will log notices and errors to syslog ++ instead of a logfile. This option must be combined ++ with <code>--without-suexec-logfile</code>.</dd> ++ + <dt><code>--with-suexec-safepath=<em>PATH</em></code></dt> + + <dd>Define a safe PATH environment to pass to CGI +@@ -546,9 +567,12 @@ + + <p>The suEXEC wrapper will write log information + to the file defined with the <code>--with-suexec-logfile</code> +- option as indicated above. If you feel you have configured and +- installed the wrapper properly, have a look at this log and the +- error_log for the server to see where you may have gone astray.</p> ++ option as indicated above, or to syslog if <code>--with-suexec-syslog</code> ++ is used. If you feel you have configured and ++ installed the wrapper properly, have a look at the log and the ++ error_log for the server to see where you may have gone astray. ++ The output of <code>"suexec -V"</code> will show the options ++ used to compile suexec, if using a binary distribution.</p> + + </div><div class="top"><a href="#page-header"><img alt="top" src="./images/up.gif" /></a></div> + <div class="section"> +@@ -615,4 +639,4 @@ + </div><div id="footer"> + <p class="apache">Copyright 2012 The Apache Software Foundation.<br />Licensed under the <a href="http://www.apache.org/licenses/LICENSE-2.0">Apache License, Version 2.0</a>.</p> + <p class="menu"><a href="./mod/">Modules</a> | <a href="./mod/directives.html">Directives</a> | <a href="./faq/">FAQ</a> | <a href="./glossary.html">Glossary</a> | <a href="./sitemap.html">Sitemap</a></p></div> +-</body></html> +\ No newline at end of file ++</body></html> +--- httpd-2.4.2/Makefile.in.r1337344+ ++++ httpd-2.4.2/Makefile.in +@@ -236,11 +236,22 @@ install-man: + cd $(DESTDIR)$(manualdir) && find . -name ".svn" -type d -print | xargs rm -rf 2>/dev/null || true; \ + fi + +-install-suexec: ++install-suexec: install-suexec-binary install-suexec-$(INSTALL_SUEXEC) ++ ++install-suexec-binary: + @if test -f $(builddir)/support/suexec; then \ + test -d $(DESTDIR)$(sbindir) || $(MKINSTALLDIRS) $(DESTDIR)$(sbindir); \ + $(INSTALL_PROGRAM) $(top_builddir)/support/suexec $(DESTDIR)$(sbindir); \ +- chmod 4755 $(DESTDIR)$(sbindir)/suexec; \ ++ fi ++ ++install-suexec-setuid: ++ @if test -f $(builddir)/support/suexec; then \ ++ chmod 4755 $(DESTDIR)$(sbindir)/suexec; \ ++ fi ++ ++install-suexec-caps: ++ @if test -f $(builddir)/support/suexec; then \ ++ setcap 'cap_setuid,cap_setgid+pe' $(DESTDIR)$(sbindir)/suexec; \ + fi + + suexec: +--- httpd-2.4.2/modules/arch/unix/mod_unixd.c.r1337344+ ++++ httpd-2.4.2/modules/arch/unix/mod_unixd.c +@@ -284,6 +284,13 @@ unixd_set_suexec(cmd_parms *cmd, void *d + return NULL; + } + ++#ifdef AP_SUEXEC_CAPABILITIES ++/* If suexec is using capabilities, don't test for the setuid bit. */ ++#define SETUID_TEST(finfo) (1) ++#else ++#define SETUID_TEST(finfo) (finfo.protection & APR_USETID) ++#endif ++ + static int + unixd_pre_config(apr_pool_t *pconf, apr_pool_t *plog, + apr_pool_t *ptemp) +@@ -300,7 +307,7 @@ unixd_pre_config(apr_pool_t *pconf, apr_ + ap_unixd_config.suexec_enabled = 0; + if ((apr_stat(&wrapper, SUEXEC_BIN, APR_FINFO_NORM, ptemp)) + == APR_SUCCESS) { +- if ((wrapper.protection & APR_USETID) && wrapper.user == 0 ++ if (SETUID_TEST(wrapper) && wrapper.user == 0 + && (access(SUEXEC_BIN, R_OK|X_OK) == 0)) { + ap_unixd_config.suexec_enabled = 1; + ap_unixd_config.suexec_disabled_reason = ""; +--- httpd-2.4.2/support/suexec.c.r1337344+ ++++ httpd-2.4.2/support/suexec.c +@@ -58,6 +58,10 @@ + #include <grp.h> + #endif + ++#ifdef AP_LOG_SYSLOG ++#include <syslog.h> ++#endif ++ + #if defined(PATH_MAX) + #define AP_MAXPATH PATH_MAX + #elif defined(MAXPATHLEN) +@@ -69,7 +73,12 @@ + #define AP_ENVBUF 256 + + extern char **environ; ++ ++#ifdef AP_LOG_SYSLOG ++static int log_open; ++#else + static FILE *log = NULL; ++#endif + + static const char *const safe_env_lst[] = + { +@@ -128,10 +137,23 @@ static const char *const safe_env_lst[] + NULL + }; + ++static void log_err(const char *fmt,...) ++ __attribute__((format(printf,1,2))); ++static void log_no_err(const char *fmt,...) ++ __attribute__((format(printf,1,2))); ++static void err_output(int is_error, const char *fmt, va_list ap) ++ __attribute__((format(printf,2,0))); + + static void err_output(int is_error, const char *fmt, va_list ap) + { +-#ifdef AP_LOG_EXEC ++#if defined(AP_LOG_SYSLOG) ++ if (!log_open) { ++ openlog("suexec", LOG_PID, LOG_DAEMON); ++ log_open = 1; ++ } ++ ++ vsyslog(is_error ? LOG_ERR : LOG_INFO, fmt, ap); ++#elif defined(AP_LOG_EXEC) + time_t timevar; + struct tm *lt; + +@@ -263,7 +285,7 @@ int main(int argc, char *argv[]) + */ + uid = getuid(); + if ((pw = getpwuid(uid)) == NULL) { +- log_err("crit: invalid uid: (%ld)\n", uid); ++ log_err("crit: invalid uid: (%lu)\n", (unsigned long)uid); + exit(102); + } + /* +@@ -289,7 +311,9 @@ int main(int argc, char *argv[]) + #ifdef AP_HTTPD_USER + fprintf(stderr, " -D AP_HTTPD_USER=\"%s\"\n", AP_HTTPD_USER); + #endif +-#ifdef AP_LOG_EXEC ++#if defined(AP_LOG_SYSLOG) ++ fprintf(stderr, " -D AP_LOG_SYSLOG\n"); ++#elif defined(AP_LOG_EXEC) + fprintf(stderr, " -D AP_LOG_EXEC=\"%s\"\n", AP_LOG_EXEC); + #endif + #ifdef AP_SAFE_PATH +@@ -440,7 +464,7 @@ int main(int argc, char *argv[]) + * a UID less than AP_UID_MIN. Tsk tsk. + */ + if ((uid == 0) || (uid < AP_UID_MIN)) { +- log_err("cannot run as forbidden uid (%d/%s)\n", uid, cmd); ++ log_err("cannot run as forbidden uid (%lu/%s)\n", (unsigned long)uid, cmd); + exit(107); + } + +@@ -449,7 +473,7 @@ int main(int argc, char *argv[]) + * or as a GID less than AP_GID_MIN. Tsk tsk. + */ + if ((gid == 0) || (gid < AP_GID_MIN)) { +- log_err("cannot run as forbidden gid (%d/%s)\n", gid, cmd); ++ log_err("cannot run as forbidden gid (%lu/%s)\n", (unsigned long)gid, cmd); + exit(108); + } + +@@ -460,7 +484,7 @@ int main(int argc, char *argv[]) + * and setgid() to the target group. If unsuccessful, error out. + */ + if (((setgid(gid)) != 0) || (initgroups(actual_uname, gid) != 0)) { +- log_err("failed to setgid (%ld: %s)\n", gid, cmd); ++ log_err("failed to setgid (%lu: %s)\n", (unsigned long)gid, cmd); + exit(109); + } + +@@ -468,7 +492,7 @@ int main(int argc, char *argv[]) + * setuid() to the target user. Error out on fail. + */ + if ((setuid(uid)) != 0) { +- log_err("failed to setuid (%ld: %s)\n", uid, cmd); ++ log_err("failed to setuid (%lu: %s)\n", (unsigned long)uid, cmd); + exit(110); + } + +@@ -556,11 +580,11 @@ int main(int argc, char *argv[]) + (gid != dir_info.st_gid) || + (uid != prg_info.st_uid) || + (gid != prg_info.st_gid)) { +- log_err("target uid/gid (%ld/%ld) mismatch " +- "with directory (%ld/%ld) or program (%ld/%ld)\n", +- uid, gid, +- dir_info.st_uid, dir_info.st_gid, +- prg_info.st_uid, prg_info.st_gid); ++ log_err("target uid/gid (%lu/%lu) mismatch " ++ "with directory (%lu/%lu) or program (%lu/%lu)\n", ++ (unsigned long)uid, (unsigned long)gid, ++ (unsigned long)dir_info.st_uid, (unsigned long)dir_info.st_gid, ++ (unsigned long)prg_info.st_uid, (unsigned long)prg_info.st_gid); + exit(120); + } + /* +@@ -585,6 +609,12 @@ int main(int argc, char *argv[]) + #endif /* AP_SUEXEC_UMASK */ + + /* Be sure to close the log file so the CGI can't mess with it. */ ++#ifdef AP_LOG_SYSLOG ++ if (log_open) { ++ closelog(); ++ log_open = 0; ++ } ++#else + if (log != NULL) { + #if APR_HAVE_FCNTL_H + /* +@@ -606,6 +636,7 @@ int main(int argc, char *argv[]) + log = NULL; + #endif + } ++#endif + + /* + * Execute the command, replacing our image with its own. diff --git a/httpd-2.4.2-restart.patch b/httpd-2.4.2-restart.patch index 07ff452..b4f9942 100644 --- a/httpd-2.4.2-restart.patch +++ b/httpd-2.4.2-restart.patch @@ -1,6 +1,8 @@ https://bugzilla.redhat.com/show_bug.cgi?id=814645 +http://svn.apache.org/viewvc?rev=1331847&view=rev + --- httpd-2.4.2/server/main.c.restart +++ httpd-2.4.2/server/main.c @@ -671,6 +671,11 @@ int main(int argc, const char * const ar @@ -8,7 +8,7 @@ Summary: Apache HTTP Server Name: httpd Version: 2.4.2 -Release: 7%{?dist} +Release: 11%{?dist} URL: http://httpd.apache.org/ Source0: http://www.apache.org/dist/httpd/httpd-%{version}.tar.bz2 Source1: index.html @@ -43,7 +43,8 @@ Patch20: httpd-2.0.48-release.patch Patch23: httpd-2.4.1-export.patch Patch24: httpd-2.4.1-corelimit.patch Patch25: httpd-2.4.1-selinux.patch -Patch26: httpd-2.4.1-suenable.patch +Patch26: httpd-2.4.2-r1337344+.patch +Patch27: httpd-2.4.2-iconlink.patch # Bug fixes Patch40: httpd-2.4.2-restart.patch Patch41: httpd-2.4.2-r1327036+.patch @@ -153,7 +154,8 @@ authentication to the Apache HTTP Server. %patch23 -p1 -b .export %patch24 -p1 -b .corelimit %patch25 -p1 -b .selinux -%patch26 -p1 -b .suenable +%patch26 -p1 -b .r1337344+ +%patch27 -p1 -b .iconlink %patch40 -p1 -b .restart %patch41 -p1 -b .r1327036+ @@ -163,6 +165,9 @@ authentication to the Apache HTTP Server. # Patch in vendor/release string sed "s/@RELEASE@/%{vstring}/" < %{PATCH20} | patch -p1 +# Prevent use of setcap in "install-suexec-caps" target. +sed -i '/suexec/s,setcap ,echo Skipping setcap for ,' Makefile.in + # Safety check: prevent build if defined MMN does not equal upstream MMN. vmmn=`echo MODULE_MAGIC_NUMBER_MAJOR | cpp -include include/ap_mmn.h | sed -n '/^2/p'` if test "x${vmmn}" != "x%{mmn}"; then @@ -207,9 +212,11 @@ export LYNX_PATH=/usr/bin/links --enable-mpms-shared=all \ --with-apr=%{_prefix} --with-apr-util=%{_prefix} \ --enable-suexec --with-suexec \ + --enable-suexec-capabilities \ --with-suexec-caller=%{suexec_caller} \ --with-suexec-docroot=%{docroot} \ - --with-suexec-logfile=%{_localstatedir}/log/httpd/suexec.log \ + --without-suexec-logfile \ + --with-suexec-syslog \ --with-suexec-bin=%{_sbindir}/suexec \ --with-suexec-uidmin=500 --with-suexec-gidmin=100 \ --enable-pie \ @@ -372,9 +379,6 @@ rm -vf \ rm -rf $RPM_BUILD_ROOT/etc/httpd/conf/{original,extra} -# Make suexec a+rw so it can be stripped. %%files lists real permissions -chmod 755 $RPM_BUILD_ROOT%{_sbindir}/suexec - %pre # Add the "apache" user /usr/sbin/useradd -c "Apache" -u 48 \ @@ -485,8 +489,7 @@ rm -rf $RPM_BUILD_ROOT %{_sbindir}/fcgistarter %{_sbindir}/apachectl %{_sbindir}/rotatelogs -# cap_dac_override needed to write to /var/log/httpd -%caps(cap_setuid,cap_setgid,cap_dac_override+pe) %attr(510,root,%{suexec_caller}) %{_sbindir}/suexec +%caps(cap_setuid,cap_setgid+pe) %attr(510,root,%{suexec_caller}) %{_sbindir}/suexec %dir %{_libdir}/httpd %dir %{_libdir}/httpd/modules @@ -562,6 +565,24 @@ rm -rf $RPM_BUILD_ROOT %{_sysconfdir}/rpm/macros.httpd %changelog +* Thu May 24 2012 Remi Collet <RPMS@FamilleCollet.com> - 2.4.2-11 +- sync with rawhide, rebuild for remi repo + +* Thu May 24 2012 Joe Orton <jorton@redhat.com> - 2.4.2-11 +- really fix autoindex.conf (thanks to remi@) + +* Thu May 24 2012 Joe Orton <jorton@redhat.com> - 2.4.2-10 +- fix autoindex.conf to allow symlink to poweredby.png + +* Wed May 23 2012 Joe Orton <jorton@redhat.com> - 2.4.2-9 +- suexec: use upstream version of patch for capability bit support + +* Wed May 23 2012 Remi Collet <RPMS@FamilleCollet.com> - 2.4.2-8 +- sync with rawhide, rebuild for remi repo + +* Wed May 23 2012 Joe Orton <jorton@redhat.com> - 2.4.2-8 +- suexec: use syslog rather than suexec.log, drop dac_override capability + * Tue May 1 2012 Remi Collet <RPMS@FamilleCollet.com> - 2.4.2-7 - sync with rawhide, rebuild for remi repo |