httpd-cvs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Dean Gaudet <dgau...@hyperreal.org>
Subject cvs commit: apachen/src/modules/standard mod_cgi.c
Date Fri, 26 Sep 1997 03:52:16 GMT
dgaudet     97/09/25 20:52:15

  Modified:    src      CHANGES
               src/main httpd.h util.c util_script.c
               src/modules/standard mod_cgi.c
  Log:
  Change to CGI permission test to allow User/Group tests to do the
  right thing for suexec. [Randy Terbush] PR#918
  
  (I had to rework this because the original was from pre-indent -djg)
  
  PR:		918
  Submitted by:	Randy Terbush
  Reviewed by:	Dean Gaudet, Jim Jagielski
  
  Revision  Changes    Path
  1.451     +3 -0      apachen/src/CHANGES
  
  Index: CHANGES
  ===================================================================
  RCS file: /export/home/cvs/apachen/src/CHANGES,v
  retrieving revision 1.450
  retrieving revision 1.451
  diff -u -r1.450 -r1.451
  --- CHANGES	1997/09/26 03:26:21	1.450
  +++ CHANGES	1997/09/26 03:52:08	1.451
  @@ -1,4 +1,7 @@
   Changes with Apache 1.3b1
  +  
  +  *) Change to CGI permission test to allow User/Group tests to do the
  +     right thing for suexec. [Randy Terbush] PR#918
   
     *) send_fb would not detect aborted connections in some situations.
        [Dean Gaudet]
  
  
  
  1.150     +1 -1      apachen/src/main/httpd.h
  
  Index: httpd.h
  ===================================================================
  RCS file: /export/home/cvs/apachen/src/main/httpd.h,v
  retrieving revision 1.149
  retrieving revision 1.150
  diff -u -r1.149 -r1.150
  --- httpd.h	1997/09/16 00:25:46	1.149
  +++ httpd.h	1997/09/26 03:52:10	1.150
  @@ -834,7 +834,7 @@
   API_EXPORT(uid_t) uname2id(const char *name);
   API_EXPORT(gid_t) gname2id(const char *name);
   API_EXPORT(int) is_directory(const char *name);
  -API_EXPORT(int) can_exec(const struct stat *);
  +API_EXPORT(int) can_exec(const struct stat *, uid_t, gid_t);
   API_EXPORT(void) chdir_file(const char *file);
   
   #ifndef HAVE_CANONICAL_FILENAME
  
  
  
  1.70      +3 -3      apachen/src/main/util.c
  
  Index: util.c
  ===================================================================
  RCS file: /export/home/cvs/apachen/src/main/util.c,v
  retrieving revision 1.69
  retrieving revision 1.70
  diff -u -r1.69 -r1.70
  --- util.c	1997/09/14 22:18:57	1.69
  +++ util.c	1997/09/26 03:52:11	1.70
  @@ -1070,7 +1070,7 @@
       return (x ? 1 : 0);		/* If the first character is ':', it's broken, too */
   }
   
  -API_EXPORT(int) can_exec(const struct stat *finfo)
  +API_EXPORT(int) can_exec(const struct stat *finfo, uid_t uid, gid_t gid)
   {
   #ifdef MULTIPLE_GROUPS
       int cnt;
  @@ -1079,10 +1079,10 @@
       /* OS/2 dosen't have Users and Groups */
       return 1;
   #else
  -    if (user_id == finfo->st_uid)
  +    if (uid == finfo->st_uid)
   	if (finfo->st_mode & S_IXUSR)
   	    return 1;
  -    if (group_id == finfo->st_gid)
  +    if (gid == finfo->st_gid)
   	if (finfo->st_mode & S_IXGRP)
   	    return 1;
   #ifdef MULTIPLE_GROUPS
  
  
  
  1.75      +14 -0     apachen/src/main/util_script.c
  
  Index: util_script.c
  ===================================================================
  RCS file: /export/home/cvs/apachen/src/main/util_script.c,v
  retrieving revision 1.74
  retrieving revision 1.75
  diff -u -r1.74 -r1.75
  --- util_script.c	1997/09/16 03:49:57	1.74
  +++ util_script.c	1997/09/26 03:52:12	1.75
  @@ -827,6 +827,13 @@
   	    grpname = gr->gr_name;
   	}
   
  +	if (!can_exec(&r->finfo, pw->pw_uid, gr->gr_gid)) {
  +	    aplog_error(APLOG_MARK, APLOG_ERR, r->server,
  +			"file permissions deny server execution: %s",
  +			r->filename);
  +	    return -1;
  +	}
  +
   	if (shellcmd)
   	    execle(SUEXEC_BIN, SUEXEC_BIN, execuser, grpname, argv0, NULL, env);
   
  @@ -841,6 +848,13 @@
   	}
       }
       else {
  +	if (!can_exec(&r->finfo, user_id, group_id)) {
  +	    aplog_error(APLOG_MARK, APLOG_ERR, r->server,
  +			"file permissions deny server execution: %s",
  +			r->filename);
  +	    return -1;
  +	}
  +
   	if (shellcmd)
   	    execle(SHELL_PATH, SHELL_PATH, "-c", argv0, NULL, env);
   
  
  
  
  1.57      +0 -5      apachen/src/modules/standard/mod_cgi.c
  
  Index: mod_cgi.c
  ===================================================================
  RCS file: /export/home/cvs/apachen/src/modules/standard/mod_cgi.c,v
  retrieving revision 1.56
  retrieving revision 1.57
  diff -u -r1.56 -r1.57
  --- mod_cgi.c	1997/09/18 08:12:23	1.56
  +++ mod_cgi.c	1997/09/26 03:52:14	1.57
  @@ -400,11 +400,6 @@
   	return log_scripterror(r, conf, NOT_FOUND,
   			       "script not found or unable to stat");
   #endif
  -    if (!suexec_enabled) {
  -	if (!can_exec(&r->finfo))
  -	    return log_scripterror(r, conf, FORBIDDEN,
  -				   "file permissions deny server execution");
  -    }
   
       if ((retval = setup_client_block(r, REQUEST_CHUNKED_ERROR)))
   	return retval;
  
  
  

Mime
View raw message