From: Joe Orton Date: Wed, 23 May 2012 21:38:39 +0000 (+0000) Subject: suexec: Support use of setgid/setuid capability bits on Linux, a X-Git-Tag: 2.5.0-alpha~6793 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=beaee8f4e3a275badb8239bf798379e0a8ad5de0;p=thirdparty%2Fapache%2Fhttpd.git suexec: Support use of setgid/setuid capability bits on Linux, a weaker set of privileges than the full setuid/setgid root binary. * configure.in: Add --enable-suexec-capabilites flag. * Makefile.in: If configured, use setcap instead of chmod 7555 on installed suexec binary. * modules/arch/unix/mod_unixd.c (unixd_pre_config): Drop test for setuid bit if capability bits are used. * docs/manual/: Add docs. git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1342065 13f79535-47bb-0310-9956-ffa450edef68 --- diff --git a/CHANGES b/CHANGES index 34c65d91a13..7b805b79b14 100644 --- a/CHANGES +++ b/CHANGES @@ -1,6 +1,10 @@ -*- coding: utf-8 -*- Changes with Apache 2.5.0 + *) suexec: Add --enable-suexec-capabilites support on Linux, to use + setuid/setgid capability bits rather than a setuid root binary. + [Joe Orton] + *) suexec: Add support for logging to syslog as an alternative to logging to a file; use --without-suexec-logfile --with-suexec-syslog. [Joe Orton] diff --git a/Makefile.in b/Makefile.in index 31a59fc1319..ad71290a58a 100644 --- a/Makefile.in +++ b/Makefile.in @@ -233,11 +233,22 @@ install-man: cd $(DESTDIR)$(manualdir) && find . -name ".svn" -type d -print | xargs rm -rf 2>/dev/null || true; \ fi -install-suexec: +install-suexec: install-suexec-binary install-suexec-$(INSTALL_SUEXEC) + +install-suexec-binary: @if test -f $(builddir)/support/suexec; then \ test -d $(DESTDIR)$(sbindir) || $(MKINSTALLDIRS) $(DESTDIR)$(sbindir); \ $(INSTALL_PROGRAM) $(top_builddir)/support/suexec $(DESTDIR)$(sbindir); \ - chmod 4755 $(DESTDIR)$(sbindir)/suexec; \ + fi + +install-suexec-setuid: + @if test -f $(builddir)/support/suexec; then \ + chmod 4755 $(DESTDIR)$(sbindir)/suexec; \ + fi + +install-suexec-caps: + @if test -f $(builddir)/support/suexec; then \ + setcap 'cap_setuid,cap_setgid+pe' $(DESTDIR)$(sbindir)/suexec; \ fi suexec: diff --git a/configure.in b/configure.in index e76dc640b68..19ebd887d69 100644 --- a/configure.in +++ b/configure.in @@ -738,6 +738,15 @@ AC_ARG_WITH(suexec-umask, APACHE_HELP_STRING(--with-suexec-umask,umask for suexec'd process),[ AC_DEFINE_UNQUOTED(AP_SUEXEC_UMASK, 0$withval, [umask for suexec'd process] ) ] ) +INSTALL_SUEXEC=setuid +AC_ARG_ENABLE([suexec-capabilities], +APACHE_HELP_STRING(--enable-suexec-capabilities,Use Linux capability bits not setuid root suexec), [ +INSTALL_SUEXEC=caps +AC_DEFINE(AP_SUEXEC_CAPABILITIES, 1, + [Enable if suexec is installed with Linux capabilities, not setuid]) +]) +APACHE_SUBST(INSTALL_SUEXEC) + dnl APR should go after the other libs, so the right symbols can be picked up if test x${apu_found} != xobsolete; then AP_LIBS="$AP_LIBS `$apu_config --avoid-ldap --link-libtool --libs`" diff --git a/docs/manual/suexec.html.en b/docs/manual/suexec.html.en index bec41dfa1e5..a34c13f04d0 100644 --- a/docs/manual/suexec.html.en +++ b/docs/manual/suexec.html.en @@ -372,6 +372,21 @@ together with the --enable-suexec option to let APACI accept your request for using the suEXEC feature. +
--enable-suexec-capabilities
+ +
Linux specific: Normally, + the suexec binary is installed "setuid/setgid + root", which allows it to run with the full privileges of the + root user. If this option is used, the suexec + binary will instead be installed with only the setuid/setgid + "capability" bits set, which is the subset of full root + priviliges required for suexec operation. Note that + the suexec binary may not be able to write to a log + file in this mode; it is recommended that the + --with-suexec-syslog --without-suexec-logfile + options are used in conjunction with this mode, so that syslog + logging is used instead.
+
--with-suexec-bin=PATH
The path to the suexec binary must be hard-coded diff --git a/modules/arch/unix/mod_unixd.c b/modules/arch/unix/mod_unixd.c index f6e95007361..1baa278c3fd 100644 --- a/modules/arch/unix/mod_unixd.c +++ b/modules/arch/unix/mod_unixd.c @@ -284,6 +284,13 @@ unixd_set_suexec(cmd_parms *cmd, void *dummy, int arg) return NULL; } +#ifdef AP_SUEXEC_CAPABILITIES +/* If suexec is using capabilities, don't test for the setuid bit. */ +#define SETUID_TEST(finfo) (1) +#else +#define SETUID_TEST(finfo) (finfo.protection & APR_USETID) +#endif + static int unixd_pre_config(apr_pool_t *pconf, apr_pool_t *plog, apr_pool_t *ptemp) @@ -300,7 +307,7 @@ unixd_pre_config(apr_pool_t *pconf, apr_pool_t *plog, ap_unixd_config.suexec_enabled = 0; if ((apr_stat(&wrapper, SUEXEC_BIN, APR_FINFO_NORM, ptemp)) == APR_SUCCESS) { - if ((wrapper.protection & APR_USETID) && wrapper.user == 0 + if (SETUID_TEST(wrapper) && wrapper.user == 0 && (access(SUEXEC_BIN, R_OK|X_OK) == 0)) { ap_unixd_config.suexec_enabled = 1; ap_unixd_config.suexec_disabled_reason = "";