source:
server/common/patches/httpd-suexec-scripts.patch
@
  699
        
        | Last change on this file since 699 was 618, checked in by andersk, 18 years ago | |
|---|---|
| File size: 6.1 KB | |
- 
        httpd-2.2.2/support/Makefile.in# scripts.mit.edu httpd suexec patch # Copyright (C) 2006, 2007 Jeff Arnold <jbarnold@mit.edu>, Joe Presbrey <presbrey@mit.edu>, Anders Kaseorg <andersk@mit.edu> # # This program is free software; you can redistribute it and/or # modify it under the terms of the GNU General Public License # as published by the Free Software Foundation; either version 2 # of the License, or (at your option) any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program; if not, write to the Free Software # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA # # See /COPYRIGHT in this repository for more information. # old new 60 60 61 61 suexec_OBJECTS = suexec.lo 62 62 suexec: $(suexec_OBJECTS) 63 $(LINK) $(suexec_OBJECTS)63 $(LINK) -lselinux $(suexec_OBJECTS) 64 64 65 65 htcacheclean_OBJECTS = htcacheclean.lo 66 66 htcacheclean: $(htcacheclean_OBJECTS) 
- 
        httpd-2.2.2/support/suexec.cold new 30 30 * 31 31 */ 32 32 33 #define STATIC_CAT_PATH "/usr/local/bin/static-cat" 34 33 35 #include "apr.h" 34 36 #include "ap_config.h" 35 37 #include "suexec.h" … … 46 48 #include <stdio.h> 47 49 #include <stdarg.h> 48 50 #include <stdlib.h> 51 #include <selinux/selinux.h> 49 52 50 53 #ifdef HAVE_PWD_H 51 54 #include <pwd.h> … … 95 98 { 96 99 /* variable name starts with */ 97 100 "HTTP_", 101 "HTTPS_", 98 102 "SSL_", 99 103 100 104 /* variable name is */ … … 140 144 "UNIQUE_ID=", 141 145 "USER_NAME=", 142 146 "TZ=", 147 "PHPRC=", 143 148 NULL 144 149 }; 145 150 … … 245 250 environ = cleanenv; 246 251 } 247 252 253 static const char *static_extensions[] = { 254 "html", 255 "css", 256 "gif", 257 "jpg", 258 "png", 259 "htm", 260 "jpeg", 261 "js", 262 "ico", 263 "xml", 264 "xsl", 265 "tiff", 266 "tif", 267 "tgz", 268 "tar", 269 "jar", 270 "zip", 271 "pdf", 272 "ps", 273 "doc", 274 "xls", 275 "ppt", 276 "swf", 277 "mp3", 278 "mov", 279 "wmv", 280 "mpg", 281 "mpeg", 282 "avi", 283 "il", 284 "JPG", 285 "xhtml", 286 "svg", 287 NULL 288 }; 289 290 static int is_static_extension(const char *file) 291 { 292 const char *extension = strrchr(file, '.'); 293 const char **p; 294 if (extension == NULL) return 0; 295 for (p = static_extensions; *p; ++p) { 296 if (strcmp(extension + 1, *p) == 0) return 1; 297 } 298 return 0; 299 } 300 248 301 int main(int argc, char *argv[]) 249 302 { 250 303 int userdir = 0; /* ~userdir flag */ … … 450 501 * Error out if attempt is made to execute as root or as 451 502 * a UID less than AP_UID_MIN. Tsk tsk. 452 503 */ 453 if ((uid == 0) || (uid < AP_UID_MIN )) {504 if ((uid == 0) || (uid < AP_UID_MIN && uid != 102)) { 454 505 log_err("cannot run as forbidden uid (%d/%s)\n", uid, cmd); 455 506 exit(107); 456 507 } … … 482 533 log_err("failed to setuid (%ld: %s)\n", uid, cmd); 483 534 exit(110); 484 535 } 536 if (is_selinux_enabled()) { 537 if (uid == 102) { 538 if (setexeccon("system_u:system_r:signup_t:s0") == -1) { 539 log_err("failed to setexeccon (%ld: %s) to signup_t\n", uid, cmd); 540 exit(201); 541 } 542 } else { 543 if (setexeccon("user_u:user_r:user_t:s0") == -1) { 544 log_err("failed to setexeccon (%ld: %s) to user_t\n", uid, cmd); 545 exit(202); 546 } 547 } 548 } 485 549 486 550 /* 487 551 * Get the current working directory, as well as the proper … … 513 575 exit(113); 514 576 } 515 577 } 578 size_t expected_len = strlen(target_homedir)+1+strlen(AP_USERDIR_SUFFIX)+1; 579 char *expected = malloc(expected_len); 580 snprintf(expected, expected_len, "%s/%s", target_homedir, AP_USERDIR_SUFFIX); 581 if (strncmp(cwd, expected, expected_len-1) != 0) { 582 log_err("error: file's directory not a subdirectory of user's home directory (%s, %s)\n", cwd, expected); 583 exit(114); 584 } 516 585 517 586 if ((strncmp(cwd, dwd, strlen(dwd))) != 0) { 518 587 log_err("command not in docroot (%s/%s)\n", cwd, cmd); … … 530 598 /* 531 599 * Error out if cwd is writable by others. 532 600 */ 601 #if 0 533 602 if ((dir_info.st_mode & S_IWOTH) || (dir_info.st_mode & S_IWGRP)) { 534 603 log_err("directory is writable by others: (%s)\n", cwd); 535 604 exit(116); 536 605 } 606 #endif 537 607 538 608 /* 539 609 * Error out if we cannot stat the program. 540 610 */ 541 if (((lstat(cmd, &prg_info)) != 0) || (S_ISLNK(prg_info.st_mode))) {611 if (((lstat(cmd, &prg_info)) != 0) /*|| (S_ISLNK(prg_info.st_mode))*/) { 542 612 log_err("cannot stat program: (%s)\n", cmd); 543 613 exit(117); 544 614 } … … 546 616 /* 547 617 * Error out if the program is writable by others. 548 618 */ 619 #if 0 549 620 if ((prg_info.st_mode & S_IWOTH) || (prg_info.st_mode & S_IWGRP)) { 550 621 log_err("file is writable by others: (%s/%s)\n", cwd, cmd); 551 622 exit(118); 552 623 } 624 #endif 553 625 554 626 /* 555 627 * Error out if the file is setuid or setgid. … … 563 635 * Error out if the target name/group is different from 564 636 * the name/group of the cwd or the program. 565 637 */ 638 #if 0 566 639 if ((uid != dir_info.st_uid) || 567 640 (gid != dir_info.st_gid) || 568 641 (uid != prg_info.st_uid) || … … 574 647 prg_info.st_uid, prg_info.st_gid); 575 648 exit(120); 576 649 } 650 #endif 577 651 /* 578 652 * Error out if the program is not executable for the user. 579 653 * Otherwise, she won't find any error in the logs except for … … 609 683 log = NULL; 610 684 } 611 685 686 if (is_static_extension(cmd)) { 687 argv[2] = STATIC_CAT_PATH; 688 execv(STATIC_CAT_PATH, &argv[2]); 689 log_err("(%d)%s: static_cat exec failed (%s)\n", errno, strerror(errno), argv[2]); 690 exit(255); 691 } 692 612 693 /* 613 694 * Execute the command, replacing our image with its own. 614 695 */ 
Note: See TracBrowser
        for help on using the repository browser.
    
