httpd-cvs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From jor...@apache.org
Subject svn commit: r1342065 - in /httpd/httpd/trunk: CHANGES Makefile.in configure.in docs/manual/suexec.html.en modules/arch/unix/mod_unixd.c
Date Wed, 23 May 2012 21:38:40 GMT
Author: jorton
Date: Wed May 23 21:38:39 2012
New Revision: 1342065

URL: http://svn.apache.org/viewvc?rev=1342065&view=rev
Log:
suexec: Support use of setgid/setuid capability bits on Linux, a
weaker set of privileges than the full setuid/setgid root binary.

* configure.in: Add --enable-suexec-capabilites flag.

* Makefile.in: If configured, use setcap instead of chmod 7555 on
  installed suexec binary.

* modules/arch/unix/mod_unixd.c (unixd_pre_config): Drop test for
  setuid bit if capability bits are used.

* docs/manual/: Add docs.

Modified:
    httpd/httpd/trunk/CHANGES
    httpd/httpd/trunk/Makefile.in
    httpd/httpd/trunk/configure.in
    httpd/httpd/trunk/docs/manual/suexec.html.en
    httpd/httpd/trunk/modules/arch/unix/mod_unixd.c

Modified: httpd/httpd/trunk/CHANGES
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/CHANGES?rev=1342065&r1=1342064&r2=1342065&view=diff
==============================================================================
--- httpd/httpd/trunk/CHANGES [utf-8] (original)
+++ httpd/httpd/trunk/CHANGES [utf-8] Wed May 23 21:38:39 2012
@@ -1,6 +1,10 @@
                                                          -*- coding: utf-8 -*-
 Changes with Apache 2.5.0
 
+  *) suexec: Add --enable-suexec-capabilites support on Linux, to use
+     setuid/setgid capability bits rather than a setuid root binary.
+     [Joe Orton]
+
   *) suexec: Add support for logging to syslog as an alternative to
      logging to a file; use --without-suexec-logfile --with-suexec-syslog.  
      [Joe Orton]

Modified: httpd/httpd/trunk/Makefile.in
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/Makefile.in?rev=1342065&r1=1342064&r2=1342065&view=diff
==============================================================================
--- httpd/httpd/trunk/Makefile.in (original)
+++ httpd/httpd/trunk/Makefile.in Wed May 23 21:38:39 2012
@@ -233,11 +233,22 @@ install-man:
 	  cd $(DESTDIR)$(manualdir) && find . -name ".svn" -type d -print | xargs rm -rf
2>/dev/null || true; \
 	fi
 
-install-suexec:
+install-suexec: install-suexec-binary install-suexec-$(INSTALL_SUEXEC)
+
+install-suexec-binary:
 	@if test -f $(builddir)/support/suexec; then \
             test -d $(DESTDIR)$(sbindir) || $(MKINSTALLDIRS) $(DESTDIR)$(sbindir); \
             $(INSTALL_PROGRAM) $(top_builddir)/support/suexec $(DESTDIR)$(sbindir); \
-            chmod 4755 $(DESTDIR)$(sbindir)/suexec; \
+	fi
+
+install-suexec-setuid:
+	@if test -f $(builddir)/support/suexec; then \
+	    chmod 4755 $(DESTDIR)$(sbindir)/suexec; \
+	fi
+
+install-suexec-caps:
+	@if test -f $(builddir)/support/suexec; then \
+            setcap 'cap_setuid,cap_setgid+pe' $(DESTDIR)$(sbindir)/suexec; \
 	fi
 
 suexec:

Modified: httpd/httpd/trunk/configure.in
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/configure.in?rev=1342065&r1=1342064&r2=1342065&view=diff
==============================================================================
--- httpd/httpd/trunk/configure.in (original)
+++ httpd/httpd/trunk/configure.in Wed May 23 21:38:39 2012
@@ -738,6 +738,15 @@ AC_ARG_WITH(suexec-umask,
 APACHE_HELP_STRING(--with-suexec-umask,umask for suexec'd process),[
   AC_DEFINE_UNQUOTED(AP_SUEXEC_UMASK, 0$withval, [umask for suexec'd process] ) ] )
 
+INSTALL_SUEXEC=setuid
+AC_ARG_ENABLE([suexec-capabilities], 
+APACHE_HELP_STRING(--enable-suexec-capabilities,Use Linux capability bits not setuid root
suexec), [
+INSTALL_SUEXEC=caps
+AC_DEFINE(AP_SUEXEC_CAPABILITIES, 1, 
+          [Enable if suexec is installed with Linux capabilities, not setuid])
+])
+APACHE_SUBST(INSTALL_SUEXEC)
+
 dnl APR should go after the other libs, so the right symbols can be picked up
 if test x${apu_found} != xobsolete; then
   AP_LIBS="$AP_LIBS `$apu_config --avoid-ldap --link-libtool --libs`"

Modified: httpd/httpd/trunk/docs/manual/suexec.html.en
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/docs/manual/suexec.html.en?rev=1342065&r1=1342064&r2=1342065&view=diff
==============================================================================
--- httpd/httpd/trunk/docs/manual/suexec.html.en (original)
+++ httpd/httpd/trunk/docs/manual/suexec.html.en Wed May 23 21:38:39 2012
@@ -372,6 +372,21 @@
       together with the <code>--enable-suexec</code> option to let
       APACI accept your request for using the suEXEC feature.</dd>
 
+      <dt><code>--enable-suexec-capabilities</code></dt>
+
+      <dd><strong>Linux specific:</strong> Normally,
+      the <code>suexec</code> binary is installed "setuid/setgid
+      root", which allows it to run with the full privileges of the
+      root user.  If this option is used, the <code>suexec</code>
+      binary will instead be installed with only the setuid/setgid
+      "capability" bits set, which is the subset of full root
+      priviliges required for suexec operation.  Note that
+      the <code>suexec</code> binary may not be able to write to a log
+      file in this mode; it is recommended that the
+      <code>--with-suexec-syslog --without-suexec-logfile</code>
+      options are used in conjunction with this mode, so that syslog
+      logging is used instead.</dd>
+
       <dt><code>--with-suexec-bin=<em>PATH</em></code></dt>
 
       <dd>The path to the <code>suexec</code> binary must be hard-coded

Modified: httpd/httpd/trunk/modules/arch/unix/mod_unixd.c
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/arch/unix/mod_unixd.c?rev=1342065&r1=1342064&r2=1342065&view=diff
==============================================================================
--- httpd/httpd/trunk/modules/arch/unix/mod_unixd.c (original)
+++ httpd/httpd/trunk/modules/arch/unix/mod_unixd.c Wed May 23 21:38:39 2012
@@ -284,6 +284,13 @@ unixd_set_suexec(cmd_parms *cmd, void *d
     return NULL;
 }
 
+#ifdef AP_SUEXEC_CAPABILITIES
+/* If suexec is using capabilities, don't test for the setuid bit. */
+#define SETUID_TEST(finfo) (1)
+#else
+#define SETUID_TEST(finfo) (finfo.protection & APR_USETID)
+#endif
+
 static int
 unixd_pre_config(apr_pool_t *pconf, apr_pool_t *plog,
                  apr_pool_t *ptemp)
@@ -300,7 +307,7 @@ unixd_pre_config(apr_pool_t *pconf, apr_
     ap_unixd_config.suexec_enabled = 0;
     if ((apr_stat(&wrapper, SUEXEC_BIN, APR_FINFO_NORM, ptemp))
          == APR_SUCCESS) {
-        if ((wrapper.protection & APR_USETID) && wrapper.user == 0
+        if (SETUID_TEST(wrapper) && wrapper.user == 0
             && (access(SUEXEC_BIN, R_OK|X_OK) == 0)) {
             ap_unixd_config.suexec_enabled = 1;
             ap_unixd_config.suexec_disabled_reason = "";



Mime
View raw message