httpd-cvs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From traw...@apache.org
Subject svn commit: r1033519 - in /httpd/httpd/trunk: CHANGES docs/manual/mod/mod_suexec.xml docs/manual/mod/mod_unixd.xml include/ap_mmn.h modules/arch/unix/mod_unixd.c modules/generators/mod_suexec.c os/unix/unixd.h
Date Wed, 10 Nov 2010 15:34:44 GMT
Author: trawick
Date: Wed Nov 10 15:34:43 2010
New Revision: 1033519

URL: http://svn.apache.org/viewvc?rev=1033519&view=rev
Log:
suEXEC: Add Suexec directive to disable suEXEC without renaming the
binary (Suexec Off), or force startup failure if suEXEC is required
but not supported (Suexec On).  Change SuexecUserGroup to fail 
startup instead of just printing a warning if suEXEC is disabled.

Additionally, ap_unixd_config.suexec_disabled_reason has a message,
suitable for logging/messaging, explaining why the feature isn't
available.

Modified:
    httpd/httpd/trunk/CHANGES
    httpd/httpd/trunk/docs/manual/mod/mod_suexec.xml
    httpd/httpd/trunk/docs/manual/mod/mod_unixd.xml
    httpd/httpd/trunk/include/ap_mmn.h
    httpd/httpd/trunk/modules/arch/unix/mod_unixd.c
    httpd/httpd/trunk/modules/generators/mod_suexec.c
    httpd/httpd/trunk/os/unix/unixd.h

Modified: httpd/httpd/trunk/CHANGES
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/CHANGES?rev=1033519&r1=1033518&r2=1033519&view=diff
==============================================================================
--- httpd/httpd/trunk/CHANGES [utf-8] (original)
+++ httpd/httpd/trunk/CHANGES [utf-8] Wed Nov 10 15:34:43 2010
@@ -6,6 +6,12 @@ Changes with Apache 2.3.9
      Fix a denial of service attack against mod_reqtimeout.
      [Stefan Fritsch]
 
+  *) suEXEC: Add Suexec directive to disable suEXEC without renaming the
+     binary (Suexec Off), or force startup failure if suEXEC is required
+     but not supported (Suexec On).  Change SuexecUserGroup to fail 
+     startup instead of just printing a warning if suEXEC is disabled.
+     [Jeff Trawick]
+
   *) core: Add Error directive for aborting startup or htaccess processing
      with a specified error message.  [Jeff Trawick]
 

Modified: httpd/httpd/trunk/docs/manual/mod/mod_suexec.xml
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/docs/manual/mod/mod_suexec.xml?rev=1033519&r1=1033518&r2=1033519&view=diff
==============================================================================
--- httpd/httpd/trunk/docs/manual/mod/mod_suexec.xml (original)
+++ httpd/httpd/trunk/docs/manual/mod/mod_suexec.xml Wed Nov 10 15:34:43 2010
@@ -62,8 +62,11 @@ later.</compatibility>
     SuexecUserGroup nobody nogroup
     </example>
 
+    <p>In Apache httpd 2.3.9 and later, startup will fail if this
+    directive is specified but the suEXEC feature is disabled.</p>
 </usage>
-
+<seealso><directive module="mod_unixd">Suexec</directive></seealso>
 </directivesynopsis>
+
 </modulesynopsis>
 

Modified: httpd/httpd/trunk/docs/manual/mod/mod_unixd.xml
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/docs/manual/mod/mod_unixd.xml?rev=1033519&r1=1033518&r2=1033519&view=diff
==============================================================================
--- httpd/httpd/trunk/docs/manual/mod/mod_unixd.xml (original)
+++ httpd/httpd/trunk/docs/manual/mod/mod_unixd.xml Wed Nov 10 15:34:43 2010
@@ -26,6 +26,8 @@
 <description>Basic (required) security for Unix-family platforms.</description>
 <status>Base</status>
 
+<seealso><a href="../suexec.html">suEXEC support</a></seealso>
+
 <directivesynopsis>
 <name>Group</name>
 <description>Group under which the server will answer
@@ -139,4 +141,21 @@ requests</description>
 </usage>
 </directivesynopsis>
 
+<directivesynopsis>
+<name>Suexec</name>
+<description>Enable or disable the suEXEC feature</description>
+<syntax>Suexec On|Off</syntax>
+<default>On if suexec binary exists with proper owner and mode,
+Off otherwise</default>
+<contextlist><context>server config</context></contextlist>
+<compatibility>Available in Apache httpd 2.3.9 and later</compatibility>
+
+<usage>
+    <p>When On, startup will fail if the suexec binary doesn't exist
+    or has an invalid owner or file mode.</p>
+    <p>When Off, suEXEC will be disabled even if the suexec binary exists
+    and has a valid owner and file mode.</p>
+</usage>
+</directivesynopsis>
+
 </modulesynopsis>

Modified: httpd/httpd/trunk/include/ap_mmn.h
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/include/ap_mmn.h?rev=1033519&r1=1033518&r2=1033519&view=diff
==============================================================================
--- httpd/httpd/trunk/include/ap_mmn.h (original)
+++ httpd/httpd/trunk/include/ap_mmn.h Wed Nov 10 15:34:43 2010
@@ -282,6 +282,7 @@
  *                         mod_ssl's parser. Clean up ap_expr's public
  *                         interface.
  * 20101106.1 (2.3.9-dev)  Add ap_pool_cleanup_set_null() generic cleanup
+ * 20101106.2 (2.3.9-dev)  Add suexec_disabled_reason field to ap_unixd_config
  */
 
 #define MODULE_MAGIC_COOKIE 0x41503234UL /* "AP24" */

Modified: httpd/httpd/trunk/modules/arch/unix/mod_unixd.c
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/arch/unix/mod_unixd.c?rev=1033519&r1=1033518&r2=1033519&view=diff
==============================================================================
--- httpd/httpd/trunk/modules/arch/unix/mod_unixd.c (original)
+++ httpd/httpd/trunk/modules/arch/unix/mod_unixd.c Wed Nov 10 15:34:43 2010
@@ -260,6 +260,28 @@ unixd_set_chroot_dir(cmd_parms *cmd, voi
     return NULL;
 }
 
+static const char *
+unixd_set_suexec(cmd_parms *cmd, void *dummy, int arg)
+{
+    const char *err = ap_check_cmd_context(cmd, GLOBAL_ONLY);
+
+    if (err != NULL) {
+        return err;
+    }
+
+    if (!ap_unixd_config.suexec_enabled && arg) {
+        return apr_pstrcat(cmd->pool, "suEXEC isn't supported: ",
+                           ap_unixd_config.suexec_disabled_reason, NULL);
+    }
+
+    if (!arg) {
+        ap_unixd_config.suexec_disabled_reason = "Suexec directive is Off";
+    }
+
+    ap_unixd_config.suexec_enabled = arg;
+    return NULL;
+}
+
 static int 
 unixd_pre_config(apr_pool_t *pconf, apr_pool_t *plog,
                  apr_pool_t *ptemp)
@@ -278,8 +300,17 @@ unixd_pre_config(apr_pool_t *pconf, apr_
         if ((wrapper.protection & APR_USETID) && wrapper.user == 0
             && (access(SUEXEC_BIN, R_OK|X_OK) == 0)) {
             ap_unixd_config.suexec_enabled = 1;
+            ap_unixd_config.suexec_disabled_reason = "";
+        }
+        else {
+            ap_unixd_config.suexec_disabled_reason =
+                "Invalid owner or file mode for " SUEXEC_BIN;
         }
     }
+    else {
+        ap_unixd_config.suexec_disabled_reason =
+            "Missing suexec binary " SUEXEC_BIN;
+    }
 
     ap_sys_privileges_handlers(1);
     return OK;
@@ -354,6 +385,8 @@ static const command_rec unixd_cmds[] = 
                   "Effective group id for this server"),
     AP_INIT_TAKE1("ChrootDir", unixd_set_chroot_dir, NULL, RSRC_CONF,
                   "The directory to chroot(2) into"),
+    AP_INIT_FLAG("Suexec", unixd_set_suexec, NULL, RSRC_CONF,
+                 "Enable or disable suEXEC support"),
     {NULL}
 };
 

Modified: httpd/httpd/trunk/modules/generators/mod_suexec.c
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/generators/mod_suexec.c?rev=1033519&r1=1033518&r2=1033519&view=diff
==============================================================================
--- httpd/httpd/trunk/modules/generators/mod_suexec.c (original)
+++ httpd/httpd/trunk/modules/generators/mod_suexec.c Wed Nov 10 15:34:43 2010
@@ -64,16 +64,18 @@ static const char *set_suexec_ugid(cmd_p
     if (err != NULL) {
         return err;
     }
-    if (ap_unixd_config.suexec_enabled) {
-        cfg->ugid.uid = ap_uname2id(uid);
-        cfg->ugid.gid = ap_gname2id(gid);
-        cfg->ugid.userdir = 0;
-        cfg->active = 1;
-    }
-    else {
-        fprintf(stderr,
-                "Warning: SuexecUserGroup directive requires SUEXEC wrapper.\n");
+
+    if (!ap_unixd_config.suexec_enabled) {
+        return apr_pstrcat(cmd->pool, "SuexecUserGroup configured, but "
+                           "suEXEC is disabled: ",
+                           ap_unixd_config.suexec_disabled_reason, NULL);
     }
+
+    cfg->ugid.uid = ap_uname2id(uid);
+    cfg->ugid.gid = ap_gname2id(gid);
+    cfg->ugid.userdir = 0;
+    cfg->active = 1;
+
     return NULL;
 }
 

Modified: httpd/httpd/trunk/os/unix/unixd.h
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/os/unix/unixd.h?rev=1033519&r1=1033518&r2=1033519&view=diff
==============================================================================
--- httpd/httpd/trunk/os/unix/unixd.h (original)
+++ httpd/httpd/trunk/os/unix/unixd.h Wed Nov 10 15:34:43 2010
@@ -77,6 +77,7 @@ typedef struct {
     gid_t group_id;
     int suexec_enabled;
     const char *chroot_dir;
+    const char *suexec_disabled_reason; /* suitable msg if !suexec_enabled */
 } unixd_config_rec;
 AP_DECLARE_DATA extern unixd_config_rec ap_unixd_config;
 



Mime
View raw message