1 files changed, 250 insertions, 0 deletions
diff --git a/httpd-2.4.4-r1337344+.patch b/httpd-2.4.4-r1337344+.patch
new file mode 100644
index 0000000..6e5c3e7
--- /dev/null
+++ b/httpd-2.4.4-r1337344+.patch
@@ -0,0 +1,250 @@
+# ./pullrev.sh 1337344 1341905 1342065 1341930
+
+suexec enhancements:
+
+1) use syslog for logging
+2) use capabilities not setuid/setgid root binary
+
+http://svn.apache.org/viewvc?view=revision&revision=1337344
+http://svn.apache.org/viewvc?view=revision&revision=1341905
+http://svn.apache.org/viewvc?view=revision&revision=1342065
+http://svn.apache.org/viewvc?view=revision&revision=1341930
+
+--- httpd-2.4.4/configure.in.r1337344+
++++ httpd-2.4.4/configure.in
+@@ -734,7 +734,24 @@ APACHE_HELP_STRING(--with-suexec-gidmin,
+ 
+ AC_ARG_WITH(suexec-logfile,
+ APACHE_HELP_STRING(--with-suexec-logfile,Set the logfile),[
+-  AC_DEFINE_UNQUOTED(AP_LOG_EXEC, "$withval", [SuExec log file] ) ] )
++  if test "x$withval" = "xyes"; then
++    AC_DEFINE_UNQUOTED(AP_LOG_EXEC, "$withval", [SuExec log file])
++  fi
++])
++
++AC_ARG_WITH(suexec-syslog,
++APACHE_HELP_STRING(--with-suexec-syslog,Set the logfile),[
++  if test $withval = "yes"; then
++    if test "x${with_suexec_logfile}" != "xno"; then
++      AC_MSG_NOTICE([hint: use "--without-suexec-logfile --with-suexec-syslog"])
++      AC_MSG_ERROR([suexec does not support both logging to file and syslog])
++    fi
++    AC_CHECK_FUNCS([vsyslog], [], [
++       AC_MSG_ERROR([cannot support syslog from suexec without vsyslog()])])
++    AC_DEFINE(AP_LOG_SYSLOG, 1, [SuExec log to syslog])
++  fi    
++])
++
+ 
+ AC_ARG_WITH(suexec-safepath,
+ APACHE_HELP_STRING(--with-suexec-safepath,Set the safepath),[
+@@ -744,6 +761,15 @@ AC_ARG_WITH(suexec-umask,
+ APACHE_HELP_STRING(--with-suexec-umask,umask for suexec'd process),[
+   AC_DEFINE_UNQUOTED(AP_SUEXEC_UMASK, 0$withval, [umask for suexec'd process] ) ] )
+ 
++INSTALL_SUEXEC=setuid
++AC_ARG_ENABLE([suexec-capabilities], 
++APACHE_HELP_STRING(--enable-suexec-capabilities,Use Linux capability bits not setuid root suexec), [
++INSTALL_SUEXEC=caps
++AC_DEFINE(AP_SUEXEC_CAPABILITIES, 1, 
++          [Enable if suexec is installed with Linux capabilities, not setuid])
++])
++APACHE_SUBST(INSTALL_SUEXEC)
++
+ dnl APR should go after the other libs, so the right symbols can be picked up
+ if test x${apu_found} != xobsolete; then
+   AP_LIBS="$AP_LIBS `$apu_config --avoid-ldap --link-libtool`"
+--- httpd-2.4.4/docs/manual/suexec.html.en.r1337344+
++++ httpd-2.4.4/docs/manual/suexec.html.en
+@@ -372,6 +372,21 @@
+       together with the <code>--enable-suexec</code> option to let
+       APACI accept your request for using the suEXEC feature.</dd>
+ 
++      <dt><code>--enable-suexec-capabilities</code></dt>
++
++      <dd><strong>Linux specific:</strong> Normally,
++      the <code>suexec</code> binary is installed "setuid/setgid
++      root", which allows it to run with the full privileges of the
++      root user.  If this option is used, the <code>suexec</code>
++      binary will instead be installed with only the setuid/setgid
++      "capability" bits set, which is the subset of full root
++      priviliges required for suexec operation.  Note that
++      the <code>suexec</code> binary may not be able to write to a log
++      file in this mode; it is recommended that the
++      <code>--with-suexec-syslog --without-suexec-logfile</code>
++      options are used in conjunction with this mode, so that syslog
++      logging is used instead.</dd>
++
+       <dt><code>--with-suexec-bin=<em>PATH</em></code></dt>
+ 
+       <dd>The path to the <code>suexec</code> binary must be hard-coded
+@@ -433,6 +448,12 @@
+       "<code>suexec_log</code>" and located in your standard logfile
+       directory (<code>--logfiledir</code>).</dd>
+ 
++      <dt><code>--with-suexec-syslog</code></dt>
++
++      <dd>If defined, suexec will log notices and errors to syslog
++      instead of a logfile.  This option must be combined
++      with <code>--without-suexec-logfile</code>.</dd>
++
+       <dt><code>--with-suexec-safepath=<em>PATH</em></code></dt>
+ 
+       <dd>Define a safe PATH environment to pass to CGI
+@@ -550,9 +571,12 @@ Group webgroup
+ 
+     <p>The suEXEC wrapper will write log information
+     to the file defined with the <code>--with-suexec-logfile</code>
+-    option as indicated above. If you feel you have configured and
+-    installed the wrapper properly, have a look at this log and the
+-    error_log for the server to see where you may have gone astray.</p>
++    option as indicated above, or to syslog if <code>--with-suexec-syslog</code>
++    is used. If you feel you have configured and
++    installed the wrapper properly, have a look at the log and the
++    error_log for the server to see where you may have gone astray. 
++    The output of <code>"suexec -V"</code> will show the options
++    used to compile suexec, if using a binary distribution.</p>
+ 
+ </div><div class="top"><a href="#page-header"><img alt="top" src="./images/up.gif" /></a></div>
+ <div class="section">
+@@ -640,4 +664,4 @@ if (typeof(prettyPrint) !== 'undefined')
+     prettyPrint();
+ }
+ //--><!]]></script>
+-</body></html>
+\ No newline at end of file
++</body></html>
+--- httpd-2.4.4/Makefile.in.r1337344+
++++ httpd-2.4.4/Makefile.in
+@@ -238,11 +238,22 @@ install-man:
+ 	  cd $(DESTDIR)$(manualdir) && find . -name ".svn" -type d -print | xargs rm -rf 2>/dev/null || true; \
+ 	fi
+ 
+-install-suexec:
++install-suexec: install-suexec-binary install-suexec-$(INSTALL_SUEXEC)
++
++install-suexec-binary:
+ 	@if test -f $(builddir)/support/suexec; then \
+             test -d $(DESTDIR)$(sbindir) || $(MKINSTALLDIRS) $(DESTDIR)$(sbindir); \
+             $(INSTALL_PROGRAM) $(top_builddir)/support/suexec $(DESTDIR)$(sbindir); \
+-            chmod 4755 $(DESTDIR)$(sbindir)/suexec; \
++	fi
++
++install-suexec-setuid:
++	@if test -f $(builddir)/support/suexec; then \
++	    chmod 4755 $(DESTDIR)$(sbindir)/suexec; \
++	fi
++
++install-suexec-caps:
++	@if test -f $(builddir)/support/suexec; then \
++            setcap 'cap_setuid,cap_setgid+pe' $(DESTDIR)$(sbindir)/suexec; \
+ 	fi
+ 
+ suexec:
+--- httpd-2.4.4/modules/arch/unix/mod_unixd.c.r1337344+
++++ httpd-2.4.4/modules/arch/unix/mod_unixd.c
+@@ -284,6 +284,13 @@ unixd_set_suexec(cmd_parms *cmd, void *d
+     return NULL;
+ }
+ 
++#ifdef AP_SUEXEC_CAPABILITIES
++/* If suexec is using capabilities, don't test for the setuid bit. */
++#define SETUID_TEST(finfo) (1)
++#else
++#define SETUID_TEST(finfo) (finfo.protection & APR_USETID)
++#endif
++
+ static int
+ unixd_pre_config(apr_pool_t *pconf, apr_pool_t *plog,
+                  apr_pool_t *ptemp)
+@@ -300,7 +307,7 @@ unixd_pre_config(apr_pool_t *pconf, apr_
+     ap_unixd_config.suexec_enabled = 0;
+     if ((apr_stat(&wrapper, SUEXEC_BIN, APR_FINFO_NORM, ptemp))
+          == APR_SUCCESS) {
+-        if ((wrapper.protection & APR_USETID) && wrapper.user == 0
++        if (SETUID_TEST(wrapper) && wrapper.user == 0
+             && (access(SUEXEC_BIN, R_OK|X_OK) == 0)) {
+             ap_unixd_config.suexec_enabled = 1;
+             ap_unixd_config.suexec_disabled_reason = "";
+--- httpd-2.4.4/support/suexec.c.r1337344+
++++ httpd-2.4.4/support/suexec.c
+@@ -58,6 +58,10 @@
+ #include <grp.h>
+ #endif
+ 
++#ifdef AP_LOG_SYSLOG
++#include <syslog.h>
++#endif
++
+ #if defined(PATH_MAX)
+ #define AP_MAXPATH PATH_MAX
+ #elif defined(MAXPATHLEN)
+@@ -69,7 +73,20 @@
+ #define AP_ENVBUF 256
+ 
+ extern char **environ;
++
++#ifdef AP_LOG_SYSLOG
++/* Syslog support. */
++#if !defined(AP_LOG_FACILITY) && defined(LOG_AUTHPRIV)
++#define AP_LOG_FACILITY LOG_AUTHPRIV
++#elif !defined(AP_LOG_FACILITY)
++#define AP_LOG_FACILITY LOG_AUTH
++#endif
++
++static int log_open;
++#else
++/* Non-syslog support. */
+ static FILE *log = NULL;
++#endif
+ 
+ static const char *const safe_env_lst[] =
+ {
+@@ -137,7 +154,14 @@ static void err_output(int is_error, con
+ 
+ static void err_output(int is_error, const char *fmt, va_list ap)
+ {
+-#ifdef AP_LOG_EXEC
++#if defined(AP_LOG_SYSLOG)
++    if (!log_open) {
++        openlog("suexec", LOG_PID, AP_LOG_FACILITY);
++        log_open = 1;
++    }
++
++    vsyslog(is_error ? LOG_ERR : LOG_INFO, fmt, ap);
++#elif defined(AP_LOG_EXEC)
+     time_t timevar;
+     struct tm *lt;
+ 
+@@ -295,7 +319,9 @@ int main(int argc, char *argv[])
+ #ifdef AP_HTTPD_USER
+         fprintf(stderr, " -D AP_HTTPD_USER=\"%s\"\n", AP_HTTPD_USER);
+ #endif
+-#ifdef AP_LOG_EXEC
++#if defined(AP_LOG_SYSLOG)
++        fprintf(stderr, " -D AP_LOG_SYSLOG\n");
++#elif defined(AP_LOG_EXEC)
+         fprintf(stderr, " -D AP_LOG_EXEC=\"%s\"\n", AP_LOG_EXEC);
+ #endif
+ #ifdef AP_SAFE_PATH
+@@ -591,6 +617,12 @@ int main(int argc, char *argv[])
+ #endif /* AP_SUEXEC_UMASK */
+ 
+     /* Be sure to close the log file so the CGI can't mess with it. */
++#ifdef AP_LOG_SYSLOG
++    if (log_open) {
++        closelog();
++        log_open = 0;
++    }
++#else
+     if (log != NULL) {
+ #if APR_HAVE_FCNTL_H
+         /*
+@@ -612,6 +644,7 @@ int main(int argc, char *argv[])
+         log = NULL;
+ #endif
+     }
++#endif
+ 
+     /*
+      * Execute the command, replacing our image with its own.