suexec: Support use of setgid/setuid capability bits on Linux, a

weaker set of privileges than the full setuid/setgid root binary.

* configure.in: Add --enable-suexec-capabilites flag.

* Makefile.in: If configured, use setcap instead of chmod 7555 on
  installed suexec binary.

* modules/arch/unix/mod_unixd.c (unixd_pre_config): Drop test for
  setuid bit if capability bits are used.

* docs/manual/: Add docs.


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1342065 13f79535-47bb-0310-9956-ffa450edef68

5 files changed, 49 insertions, 3 deletions

diff --git a/CHANGES b/CHANGES
index 34c65d91a1..7b805b79b1 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,6 +1,10 @@
                                                          -*- coding: utf-8 -*-
 Changes with Apache 2.5.0
 
+  *) suexec: Add --enable-suexec-capabilites support on Linux, to use
+     setuid/setgid capability bits rather than a setuid root binary.
+     [Joe Orton]
+
   *) suexec: Add support for logging to syslog as an alternative to
      logging to a file; use --without-suexec-logfile --with-suexec-syslog.  
      [Joe Orton]
diff --git a/Makefile.in b/Makefile.in
index 31a59fc131..ad71290a58 100644
--- a/Makefile.in
+++ b/Makefile.in
@@ -233,11 +233,22 @@ install-man:
 	  cd $(DESTDIR)$(manualdir) && find . -name ".svn" -type d -print | xargs rm -rf 2>/dev/null || true; \
 	fi
 
-install-suexec:
+install-suexec: install-suexec-binary install-suexec-$(INSTALL_SUEXEC)
+
+install-suexec-binary:
 	@if test -f $(builddir)/support/suexec; then \
             test -d $(DESTDIR)$(sbindir) || $(MKINSTALLDIRS) $(DESTDIR)$(sbindir); \
             $(INSTALL_PROGRAM) $(top_builddir)/support/suexec $(DESTDIR)$(sbindir); \
-            chmod 4755 $(DESTDIR)$(sbindir)/suexec; \
+	fi
+
+install-suexec-setuid:
+	@if test -f $(builddir)/support/suexec; then \
+	    chmod 4755 $(DESTDIR)$(sbindir)/suexec; \
+	fi
+
+install-suexec-caps:
+	@if test -f $(builddir)/support/suexec; then \
+            setcap 'cap_setuid,cap_setgid+pe' $(DESTDIR)$(sbindir)/suexec; \
 	fi
 
 suexec:
diff --git a/configure.in b/configure.in
index e76dc640b6..19ebd887d6 100644
--- a/configure.in
+++ b/configure.in
@@ -738,6 +738,15 @@ AC_ARG_WITH(suexec-umask,
 APACHE_HELP_STRING(--with-suexec-umask,umask for suexec'd process),[
   AC_DEFINE_UNQUOTED(AP_SUEXEC_UMASK, 0$withval, [umask for suexec'd process] ) ] )
 
+INSTALL_SUEXEC=setuid
+AC_ARG_ENABLE([suexec-capabilities], 
+APACHE_HELP_STRING(--enable-suexec-capabilities,Use Linux capability bits not setuid root suexec), [
+INSTALL_SUEXEC=caps
+AC_DEFINE(AP_SUEXEC_CAPABILITIES, 1, 
+          [Enable if suexec is installed with Linux capabilities, not setuid])
+])
+APACHE_SUBST(INSTALL_SUEXEC)
+
 dnl APR should go after the other libs, so the right symbols can be picked up
 if test x${apu_found} != xobsolete; then
   AP_LIBS="$AP_LIBS `$apu_config --avoid-ldap --link-libtool --libs`"
diff --git a/docs/manual/suexec.html.en b/docs/manual/suexec.html.en
index bec41dfa1e..a34c13f04d 100644
--- a/docs/manual/suexec.html.en
+++ b/docs/manual/suexec.html.en
@@ -372,6 +372,21 @@
       together with the <code>--enable-suexec</code> option to let
       APACI accept your request for using the suEXEC feature.</dd>
 
+      <dt><code>--enable-suexec-capabilities</code></dt>
+
+      <dd><strong>Linux specific:</strong> Normally,
+      the <code>suexec</code> binary is installed "setuid/setgid
+      root", which allows it to run with the full privileges of the
+      root user.  If this option is used, the <code>suexec</code>
+      binary will instead be installed with only the setuid/setgid
+      "capability" bits set, which is the subset of full root
+      priviliges required for suexec operation.  Note that
+      the <code>suexec</code> binary may not be able to write to a log
+      file in this mode; it is recommended that the
+      <code>--with-suexec-syslog --without-suexec-logfile</code>
+      options are used in conjunction with this mode, so that syslog
+      logging is used instead.</dd>
+
       <dt><code>--with-suexec-bin=<em>PATH</em></code></dt>
 
       <dd>The path to the <code>suexec</code> binary must be hard-coded
diff --git a/modules/arch/unix/mod_unixd.c b/modules/arch/unix/mod_unixd.c
index f6e9500736..1baa278c3f 100644
--- a/modules/arch/unix/mod_unixd.c
+++ b/modules/arch/unix/mod_unixd.c
@@ -284,6 +284,13 @@ unixd_set_suexec(cmd_parms *cmd, void *dummy, int arg)
     return NULL;
 }
 
+#ifdef AP_SUEXEC_CAPABILITIES
+/* If suexec is using capabilities, don't test for the setuid bit. */
+#define SETUID_TEST(finfo) (1)
+#else
+#define SETUID_TEST(finfo) (finfo.protection & APR_USETID)
+#endif
+
 static int
 unixd_pre_config(apr_pool_t *pconf, apr_pool_t *plog,
                  apr_pool_t *ptemp)
@@ -300,7 +307,7 @@ unixd_pre_config(apr_pool_t *pconf, apr_pool_t *plog,
     ap_unixd_config.suexec_enabled = 0;
     if ((apr_stat(&wrapper, SUEXEC_BIN, APR_FINFO_NORM, ptemp))
          == APR_SUCCESS) {
-        if ((wrapper.protection & APR_USETID) && wrapper.user == 0
+        if (SETUID_TEST(wrapper) && wrapper.user == 0
             && (access(SUEXEC_BIN, R_OK|X_OK) == 0)) {
             ap_unixd_config.suexec_enabled = 1;
             ap_unixd_config.suexec_disabled_reason = "";