From: wurblzap%gmail.com <>
Date: Fri, 3 Apr 2009 08:03:13 +0000 (+0000)
Subject: Bug 123165 – Permissions setup option for bugzilla_user==webserver_user (suexec).
X-Git-Tag: bugzilla-3.5.1~264
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=f9a7938b592a1d95fc718c2b86cf90506615b675;p=thirdparty%2Fbugzilla.git

Bug 123165 – Permissions setup option for bugzilla_user==webserver_user (suexec).
Patch by Marc Schumann <wurblzap@gmail.com>; r/a=mkanat
---

diff --git a/Bugzilla/Install/Filesystem.pm b/Bugzilla/Install/Filesystem.pm
index 17129b2abb..4cbbd57cc2 100644
--- a/Bugzilla/Install/Filesystem.pm
+++ b/Bugzilla/Install/Filesystem.pm
@@ -51,10 +51,10 @@ our @EXPORT = qw(
 # a perldoc. However, look at the various hashes defined inside this 
 # function to understand what it returns. (There are comments throughout.)
 #
-# The rationale for the file permissions is that the web server generally 
-# runs as apache, so the cgi scripts should not be writable for apache,
-# otherwise someone may find it possible to change the cgis when exploiting
-# some security flaw somewhere (not necessarily in Bugzilla!)
+# The rationale for the file permissions is that there is a group the
+# web server executes the scripts as, so the cgi scripts should not be writable
+# by this group. Otherwise someone may find it possible to change the cgis
+# when exploiting some security flaw somewhere (not necessarily in Bugzilla!)
 sub FILESYSTEM {
     my $datadir       = bz_locations()->{'datadir'};
     my $attachdir     = bz_locations()->{'attachdir'};
@@ -67,6 +67,7 @@ sub FILESYSTEM {
     my $localconfig   = bz_locations()->{'localconfig'};
 
     my $ws_group      = Bugzilla->localconfig->{'webservergroup'};
+    my $use_suexec    = Bugzilla->localconfig->{'use_suexec'};
 
     # The set of permissions that we use:
 
@@ -76,7 +77,7 @@ sub FILESYSTEM {
     # Executable by the owner only.
     my $owner_executable = 0700;
     # Readable by the web server.
-    my $ws_readable = $ws_group ? 0640 : 0644;
+    my $ws_readable = ($ws_group && !$use_suexec) ? 0640 : 0644;
     # Readable by the owner only.
     my $owner_readable = 0600;
     # Writeable by the web server.
@@ -84,7 +85,7 @@ sub FILESYSTEM {
 
     # DIRECTORIES
     # Readable by the web server.
-    my $ws_dir_readable  = $ws_group ? 0750 : 0755;
+    my $ws_dir_readable  = ($ws_group && !$use_suexec) ? 0750 : 0755;
     # Readable only by the owner.
     my $owner_dir_readable = 0700;
     # Writeable by the web server.
diff --git a/Bugzilla/Install/Localconfig.pm b/Bugzilla/Install/Localconfig.pm
index 5cd7755e83..9710647226 100644
--- a/Bugzilla/Install/Localconfig.pm
+++ b/Bugzilla/Install/Localconfig.pm
@@ -67,9 +67,11 @@ EOT
     {
         name    => 'webservergroup',
         default => ON_WINDOWS ? '' : 'apache',
-        desc    => q{# This is the group your web server runs as.
+        desc    => q{# Usually, this is the group your web server runs as.
 # If you have a Windows box, ignore this setting.
-# If you do not have access to the group your web server runs under,
+# If you have use_suexec switched on below, this is the group Apache switches
+# to in order to run Bugzilla scripts.
+# If you do not have access to the group your scripts will run under,
 # set this to "". If you do set this to "", then your Bugzilla installation
 # will be _VERY_ insecure, because some files will be world readable/writable,
 # and so anyone who can get local access to your machine can do whatever they
@@ -77,6 +79,21 @@ EOT
 # and you cannot set this up any other way. YOU HAVE BEEN WARNED!
 # If you set this to anything other than "", you will need to run checksetup.pl
 # as} . ROOT_USER . qq{, or as a user who is a member of the specified group.\n}
+    },
+    {
+        name    => 'use_suexec',
+        default => 0,
+        desc    => <<EOT
+# Set this if Bugzilla runs in an Apache SuexecUserGroup environment.
+# (If your web server runs control panel software (cPanel, Plesk or similar),
+# or if your Bugzilla is to run in a shared hosting environment, then you are
+# almost certainly in an Apache SuexecUserGroup environment.)
+# If you have a Windows box, ignore this setting.
+# If set to 0, Bugzilla will set file permissions as tightly as possible.
+# If set to 1, Bugzilla will set file permissions so that it may work in an
+# SuexecUserGroup environment. The difference is that static files (CSS,
+# JavaScript and so on) will receive world read permissions.
+EOT
     },
     {
         name    => 'db_driver',
diff --git a/testserver.pl b/testserver.pl
index f7949948f3..1e2af661af 100755
--- a/testserver.pl
+++ b/testserver.pl
@@ -59,7 +59,8 @@ my $webgroupnum = 0;
 my $webservergroup = Bugzilla->localconfig->{webservergroup};
 if ($webservergroup =~ /^(\d+)$/) {
     $webgroupnum = $1;
-} else {
+}
+else {
     eval { $webgroupnum = (getgrnam $webservergroup) || 0; };
 }
 
@@ -70,16 +71,19 @@ if ($sgid > 0) {
 "WARNING \$webservergroup is set to an empty string.
 That is a very insecure practice. Please refer to the
 Bugzilla documentation.\n";
-    } elsif ($webgroupnum == $sgid) {
+    }
+    elsif ($webgroupnum == $sgid || Bugzilla->localconfig->{use_suexec}) {
         print "TEST-OK Webserver is running under group id in \$webservergroup.\n";
-    } else {
+    }
+    else {
         print 
 "TEST-WARNING Webserver is running under group id not matching \$webservergroup.
 This if the tests below fail, this is probably the problem.
 Please refer to the web server configuration section of the Bugzilla guide. 
 If you are using virtual hosts or suexec, this warning may not apply.\n";
     }
-} elsif ($^O !~ /MSWin32/i) {
+}
+elsif ($^O !~ /MSWin32/i) {
    print
 "TEST-WARNING Failed to find the GID for the 'httpd' process, unable
 to validate webservergroup.\n";