From: Ken Coar <coar@apache.org>
Date: Fri, 26 Oct 2001 18:05:26 +0000 (+0000)
Subject: 	Some platforms varf on a setgid(-1) and hence httpd will fall
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=31388a2ce5c07cc4048e97766d59d6a152abc64c;p=thirdparty%2Fapache%2Fhttpd.git

	Some platforms varf on a setgid(-1) and hence httpd will fall
	over immediately after being started.  However, since
	'Group #-1' is syntactically correct, apachectl won't catch
	this and will assume the server started successfully.  This
	checkgid app will return -1 if any of the Apache-understandable
	group values (i.e., name or "#n") are invalid.  apachestl still
	needs to be enhanced to use this.


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/1.3.x@91668 13f79535-47bb-0310-9956-ffa450edef68
---

diff --git a/src/CHANGES b/src/CHANGES
index c164ea6e0cb..7b05390628a 100644
--- a/src/CHANGES
+++ b/src/CHANGES
@@ -1,5 +1,9 @@
 Changes with Apache 1.3.23
 
+  *) Add checkgid app to do run-time validation of Group directive
+     values which might cause the server to fall over, but which
+     are syntactically correct.  [Ken Coar]
+
   *) NetWare: Added mod_unique_id to the project file.  
      [Brad Nicholes bnicholes@novell.com]
 
diff --git a/src/support/Makefile.tmpl b/src/support/Makefile.tmpl
index f06a2f2768b..a7fe861d24d 100644
--- a/src/support/Makefile.tmpl
+++ b/src/support/Makefile.tmpl
@@ -12,9 +12,9 @@ LIBS=-lm -lap -los $(EXTRA_LIBS) $(LIBS1)
 INCLUDES=$(INCLUDES1) $(INCLUDES0) $(EXTRA_INCLUDES)
 LDFLAGS=$(LDFLAGS1) $(EXTRA_LDFLAGS) -L$(OSDIR) -L$(SRCDIR)/ap
 
-TARGETS=htpasswd htdigest rotatelogs logresolve ab apxs
+TARGETS=htpasswd htdigest rotatelogs logresolve ab apxs checkgid
 
-OBJS=htpasswd.o htdigest.o rotatelogs.o logresolve.o ab.o
+OBJS=htpasswd.o htdigest.o rotatelogs.o logresolve.o ab.o checkgid.o
 
 .c.o: 
 	$(CC) -c $(INCLUDES) $(CFLAGS) $<
@@ -36,6 +36,9 @@ logresolve: logresolve.o
 ab: ab.o
 	$(CC) $(CFLAGS) -o ab $(LDFLAGS) ab.o $(LIBS)
 
+checkgid: checkgid.o
+	$(CC) $(CFLAGS) -o checkgid $(LDFLAGS) checkgid.o $(LIBS)
+
 apxs: apxs.pl
 	sed <apxs.pl >apxs \
 	    -e 's%@TARGET@%$(TARGET)%g' \
diff --git a/src/support/checkgid.c b/src/support/checkgid.c
new file mode 100644
index 00000000000..3f2e7490da6
--- /dev/null
+++ b/src/support/checkgid.c
@@ -0,0 +1,136 @@
+/* ====================================================================
+ * The Apache Software License, Version 1.1
+ *
+ * Copyright (c) 2000 The Apache Software Foundation.  All rights
+ * reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. The end-user documentation included with the redistribution,
+ *    if any, must include the following acknowledgment:
+ *       "This product includes software developed by the
+ *        Apache Software Foundation (http://www.apache.org/)."
+ *    Alternately, this acknowledgment may appear in the software itself,
+ *    if and wherever such third-party acknowledgments normally appear.
+ *
+ * 4. The names "Apache" and "Apache Software Foundation" must
+ *    not be used to endorse or promote products derived from this
+ *    software without prior written permission. For written
+ *    permission, please contact apache@apache.org.
+ *
+ * 5. Products derived from this software may not be called "Apache",
+ *    nor may "Apache" appear in their name, without prior written
+ *    permission of the Apache Software Foundation.
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESSED OR IMPLIED
+ * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+ * DISCLAIMED.  IN NO EVENT SHALL THE APACHE SOFTWARE FOUNDATION OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+ * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF
+ * USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
+ * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
+ * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT
+ * OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * ====================================================================
+ * ====================================================================
+ *
+ * This software consists of voluntary contributions made by many
+ * individuals on behalf of the Apache Software Foundation.  For more
+ * information on the Apache Software Foundation, please see
+ * <http://www.apache.org/>.
+ */
+
+/*
+ * Given one or more group identifers on the command line (e.g.,
+ * "httpd" or "#-1"), figure out whether they'll be valid for
+ * the server to use at run-time.
+ *
+ * If a groupname isn't found, or we can't setgid() to it, return
+ * -1.  If all groups are valid, return 0.
+ *
+ * This may need to be run as the superuser for the setgid() to
+ * succeed; running it as any other user may result in a false
+ * negative.
+ */
+
+#include <stdio.h>
+#include "httpd.h"
+#include "http_conf_globals.h"
+
+int main(int argc, char *argv[])
+{
+    int i;
+    int result;
+    gid_t gid;
+    struct group *grent;
+    struct group fake_grent;
+
+    /*
+     * Assume success. :-)
+     */
+    result = 0;
+    for (i = 1; i < argc; ++i) {
+        char *arg;
+        arg = argv[i];
+
+        /*
+         * If it's from a 'Group #-1' statement, get the numeric value
+         * and skip the group lookup stuff.
+         */
+        if (*arg == '#') {
+            gid = atoi(&arg[1]);
+            fake_grent.gr_gid = gid;
+            grent = &fake_grent;
+        }
+        else {
+            grent = getgrnam(arg);
+        }
+
+        /*
+         * A NULL return means no such group was found, so we're done
+         * with this one.
+         */
+        if (grent == NULL) {
+            fprintf(stderr, "%s: group '%s' not found\n", argv[0], arg);
+            result = -1;
+        }
+        else {
+            int check;
+
+            /*
+             * See if we can switch to the numeric GID we have. If so,
+             * all well and good; if not, well..
+             */
+            gid = grent->gr_gid;
+            check = setgid(gid);
+            if (check != 0) {
+                fprintf(stderr, "%s: invalid group '%s'\n", argv[0], arg);
+                perror(argv[0]);
+                result = -1;
+            }
+        }
+    }
+    /*
+     * Worst-case return value.
+     */
+    return result;
+}
+/*
+ * Local Variables:
+ * mode: C
+ * c-file-style: "bsd"
+ * End:
+ */