# ./pullrev.sh 1337344 1341905 1342065 1341930 1344712 suexec enhancements: 1) use syslog for logging 2) use capabilities not setuid/setgid root binary http://svn.apache.org/viewvc?view=revision&revision=1337344 http://svn.apache.org/viewvc?view=revision&revision=1341905 http://svn.apache.org/viewvc?view=revision&revision=1342065 http://svn.apache.org/viewvc?view=revision&revision=1341930 http://svn.apache.org/viewvc?view=revision&revision=1344712 --- httpd-2.4.2/configure.in.r1337344+ +++ httpd-2.4.2/configure.in @@ -700,7 +700,24 @@ APACHE_HELP_STRING(--with-suexec-gidmin, AC_ARG_WITH(suexec-logfile, APACHE_HELP_STRING(--with-suexec-logfile,Set the logfile),[ - AC_DEFINE_UNQUOTED(AP_LOG_EXEC, "$withval", [SuExec log file] ) ] ) + if test "x$withval" = "xyes"; then + AC_DEFINE_UNQUOTED(AP_LOG_EXEC, "$withval", [SuExec log file]) + fi +]) + +AC_ARG_WITH(suexec-syslog, +APACHE_HELP_STRING(--with-suexec-syslog,Set the logfile),[ + if test $withval = "yes"; then + if test "x${with_suexec_logfile}" != "xno"; then + AC_MSG_NOTICE([hint: use "--without-suexec-logfile --with-suexec-syslog"]) + AC_MSG_ERROR([suexec does not support both logging to file and syslog]) + fi + AC_CHECK_FUNCS([vsyslog], [], [ + AC_MSG_ERROR([cannot support syslog from suexec without vsyslog()])]) + AC_DEFINE(AP_LOG_SYSLOG, 1, [SuExec log to syslog]) + fi +]) + AC_ARG_WITH(suexec-safepath, APACHE_HELP_STRING(--with-suexec-safepath,Set the safepath),[ @@ -710,6 +727,15 @@ AC_ARG_WITH(suexec-umask, APACHE_HELP_STRING(--with-suexec-umask,umask for suexec'd process),[ AC_DEFINE_UNQUOTED(AP_SUEXEC_UMASK, 0$withval, [umask for suexec'd process] ) ] ) +INSTALL_SUEXEC=setuid +AC_ARG_ENABLE([suexec-capabilities], +APACHE_HELP_STRING(--enable-suexec-capabilities,Use Linux capability bits not setuid root suexec), [ +INSTALL_SUEXEC=caps +AC_DEFINE(AP_SUEXEC_CAPABILITIES, 1, + [Enable if suexec is installed with Linux capabilities, not setuid]) +]) +APACHE_SUBST(INSTALL_SUEXEC) + dnl APR should go after the other libs, so the right symbols can be picked up if test x${apu_found} != xobsolete; then AP_LIBS="$AP_LIBS `$apu_config --avoid-ldap --link-libtool`" --- httpd-2.4.2/docs/manual/suexec.html.en.r1337344+ +++ httpd-2.4.2/docs/manual/suexec.html.en @@ -369,6 +369,21 @@ together with the --enable-suexec option to let APACI accept your request for using the suEXEC feature. +
--enable-suexec-capabilities
+ +
Linux specific: Normally, + the suexec binary is installed "setuid/setgid + root", which allows it to run with the full privileges of the + root user. If this option is used, the suexec + binary will instead be installed with only the setuid/setgid + "capability" bits set, which is the subset of full root + priviliges required for suexec operation. Note that + the suexec binary may not be able to write to a log + file in this mode; it is recommended that the + --with-suexec-syslog --without-suexec-logfile + options are used in conjunction with this mode, so that syslog + logging is used instead.
+
--with-suexec-bin=PATH
The path to the suexec binary must be hard-coded @@ -430,6 +445,12 @@ "suexec_log" and located in your standard logfile directory (--logfiledir).
+
--with-suexec-syslog
+ +
If defined, suexec will log notices and errors to syslog + instead of a logfile. This option must be combined + with --without-suexec-logfile.
+
--with-suexec-safepath=PATH
Define a safe PATH environment to pass to CGI @@ -546,9 +567,12 @@

The suEXEC wrapper will write log information to the file defined with the --with-suexec-logfile - option as indicated above. If you feel you have configured and - installed the wrapper properly, have a look at this log and the - error_log for the server to see where you may have gone astray.

+ option as indicated above, or to syslog if --with-suexec-syslog + is used. If you feel you have configured and + installed the wrapper properly, have a look at the log and the + error_log for the server to see where you may have gone astray. + The output of "suexec -V" will show the options + used to compile suexec, if using a binary distribution.

top
--- httpd-2.4.2/Makefile.in.r1337344+ +++ httpd-2.4.2/Makefile.in @@ -236,11 +236,22 @@ install-man: cd $(DESTDIR)$(manualdir) && find . -name ".svn" -type d -print | xargs rm -rf 2>/dev/null || true; \ fi -install-suexec: +install-suexec: install-suexec-binary install-suexec-$(INSTALL_SUEXEC) + +install-suexec-binary: @if test -f $(builddir)/support/suexec; then \ test -d $(DESTDIR)$(sbindir) || $(MKINSTALLDIRS) $(DESTDIR)$(sbindir); \ $(INSTALL_PROGRAM) $(top_builddir)/support/suexec $(DESTDIR)$(sbindir); \ - chmod 4755 $(DESTDIR)$(sbindir)/suexec; \ + fi + +install-suexec-setuid: + @if test -f $(builddir)/support/suexec; then \ + chmod 4755 $(DESTDIR)$(sbindir)/suexec; \ + fi + +install-suexec-caps: + @if test -f $(builddir)/support/suexec; then \ + echo Skipping setcap for 'cap_setuid,cap_setgid+pe' $(DESTDIR)$(sbindir)/suexec; \ fi suexec: --- httpd-2.4.2/modules/arch/unix/mod_unixd.c.r1337344+ +++ httpd-2.4.2/modules/arch/unix/mod_unixd.c @@ -284,6 +284,13 @@ unixd_set_suexec(cmd_parms *cmd, void *d return NULL; } +#ifdef AP_SUEXEC_CAPABILITIES +/* If suexec is using capabilities, don't test for the setuid bit. */ +#define SETUID_TEST(finfo) (1) +#else +#define SETUID_TEST(finfo) (finfo.protection & APR_USETID) +#endif + static int unixd_pre_config(apr_pool_t *pconf, apr_pool_t *plog, apr_pool_t *ptemp) @@ -300,7 +307,7 @@ unixd_pre_config(apr_pool_t *pconf, apr_ ap_unixd_config.suexec_enabled = 0; if ((apr_stat(&wrapper, SUEXEC_BIN, APR_FINFO_NORM, ptemp)) == APR_SUCCESS) { - if ((wrapper.protection & APR_USETID) && wrapper.user == 0 + if (SETUID_TEST(wrapper) && wrapper.user == 0 && (access(SUEXEC_BIN, R_OK|X_OK) == 0)) { ap_unixd_config.suexec_enabled = 1; ap_unixd_config.suexec_disabled_reason = ""; --- httpd-2.4.2/support/suexec.c.r1337344+ +++ httpd-2.4.2/support/suexec.c @@ -58,6 +58,10 @@ #include #endif +#ifdef AP_LOG_SYSLOG +#include +#endif + #if defined(PATH_MAX) #define AP_MAXPATH PATH_MAX #elif defined(MAXPATHLEN) @@ -69,7 +73,20 @@ #define AP_ENVBUF 256 extern char **environ; + +#ifdef AP_LOG_SYSLOG +/* Syslog support. */ +#if !defined(AP_LOG_FACILITY) && defined(LOG_AUTHPRIV) +#define AP_LOG_FACILITY LOG_AUTHPRIV +#elif !defined(AP_LOG_FACILITY) +#define AP_LOG_FACILITY LOG_AUTH +#endif + +static int log_open; +#else +/* Non-syslog support. */ static FILE *log = NULL; +#endif static const char *const safe_env_lst[] = { @@ -128,10 +145,23 @@ static const char *const safe_env_lst[] NULL }; +static void log_err(const char *fmt,...) + __attribute__((format(printf,1,2))); +static void log_no_err(const char *fmt,...) + __attribute__((format(printf,1,2))); +static void err_output(int is_error, const char *fmt, va_list ap) + __attribute__((format(printf,2,0))); static void err_output(int is_error, const char *fmt, va_list ap) { -#ifdef AP_LOG_EXEC +#if defined(AP_LOG_SYSLOG) + if (!log_open) { + openlog("suexec", LOG_PID, AP_LOG_FACILITY); + log_open = 1; + } + + vsyslog(is_error ? LOG_ERR : LOG_INFO, fmt, ap); +#elif defined(AP_LOG_EXEC) time_t timevar; struct tm *lt; @@ -263,7 +293,7 @@ int main(int argc, char *argv[]) */ uid = getuid(); if ((pw = getpwuid(uid)) == NULL) { - log_err("crit: invalid uid: (%ld)\n", uid); + log_err("crit: invalid uid: (%lu)\n", (unsigned long)uid); exit(102); } /* @@ -289,7 +319,9 @@ int main(int argc, char *argv[]) #ifdef AP_HTTPD_USER fprintf(stderr, " -D AP_HTTPD_USER=\"%s\"\n", AP_HTTPD_USER); #endif -#ifdef AP_LOG_EXEC +#if defined(AP_LOG_SYSLOG) + fprintf(stderr, " -D AP_LOG_SYSLOG\n"); +#elif defined(AP_LOG_EXEC) fprintf(stderr, " -D AP_LOG_EXEC=\"%s\"\n", AP_LOG_EXEC); #endif #ifdef AP_SAFE_PATH @@ -440,7 +472,7 @@ int main(int argc, char *argv[]) * a UID less than AP_UID_MIN. Tsk tsk. */ if ((uid == 0) || (uid < AP_UID_MIN)) { - log_err("cannot run as forbidden uid (%d/%s)\n", uid, cmd); + log_err("cannot run as forbidden uid (%lu/%s)\n", (unsigned long)uid, cmd); exit(107); } @@ -449,7 +481,7 @@ int main(int argc, char *argv[]) * or as a GID less than AP_GID_MIN. Tsk tsk. */ if ((gid == 0) || (gid < AP_GID_MIN)) { - log_err("cannot run as forbidden gid (%d/%s)\n", gid, cmd); + log_err("cannot run as forbidden gid (%lu/%s)\n", (unsigned long)gid, cmd); exit(108); } @@ -460,7 +492,7 @@ int main(int argc, char *argv[]) * and setgid() to the target group. If unsuccessful, error out. */ if (((setgid(gid)) != 0) || (initgroups(actual_uname, gid) != 0)) { - log_err("failed to setgid (%ld: %s)\n", gid, cmd); + log_err("failed to setgid (%lu: %s)\n", (unsigned long)gid, cmd); exit(109); } @@ -468,7 +500,7 @@ int main(int argc, char *argv[]) * setuid() to the target user. Error out on fail. */ if ((setuid(uid)) != 0) { - log_err("failed to setuid (%ld: %s)\n", uid, cmd); + log_err("failed to setuid (%lu: %s)\n", (unsigned long)uid, cmd); exit(110); } @@ -556,11 +588,11 @@ int main(int argc, char *argv[]) (gid != dir_info.st_gid) || (uid != prg_info.st_uid) || (gid != prg_info.st_gid)) { - log_err("target uid/gid (%ld/%ld) mismatch " - "with directory (%ld/%ld) or program (%ld/%ld)\n", - uid, gid, - dir_info.st_uid, dir_info.st_gid, - prg_info.st_uid, prg_info.st_gid); + log_err("target uid/gid (%lu/%lu) mismatch " + "with directory (%lu/%lu) or program (%lu/%lu)\n", + (unsigned long)uid, (unsigned long)gid, + (unsigned long)dir_info.st_uid, (unsigned long)dir_info.st_gid, + (unsigned long)prg_info.st_uid, (unsigned long)prg_info.st_gid); exit(120); } /* @@ -585,6 +617,12 @@ int main(int argc, char *argv[]) #endif /* AP_SUEXEC_UMASK */ /* Be sure to close the log file so the CGI can't mess with it. */ +#ifdef AP_LOG_SYSLOG + if (log_open) { + closelog(); + log_open = 0; + } +#else if (log != NULL) { #if APR_HAVE_FCNTL_H /* @@ -606,6 +644,7 @@ int main(int argc, char *argv[]) log = NULL; #endif } +#endif /* * Execute the command, replacing our image with its own.