diff options
author | Joe Orton <jorton@apache.org> | 2012-05-23 21:38:39 +0000 |
---|---|---|
committer | Joe Orton <jorton@apache.org> | 2012-05-23 21:38:39 +0000 |
commit | beaee8f4e3a275badb8239bf798379e0a8ad5de0 (patch) | |
tree | af9d06875cbd458486afdb8a67fc9320d8d026fd | |
parent | c82d3e4180e7fbc0783f306b53c877a4ac2f2ba0 (diff) | |
download | httpd-beaee8f4e3a275badb8239bf798379e0a8ad5de0.tar.gz |
suexec: Support use of setgid/setuid capability bits on Linux, a
weaker set of privileges than the full setuid/setgid root binary.
* configure.in: Add --enable-suexec-capabilites flag.
* Makefile.in: If configured, use setcap instead of chmod 7555 on
installed suexec binary.
* modules/arch/unix/mod_unixd.c (unixd_pre_config): Drop test for
setuid bit if capability bits are used.
* docs/manual/: Add docs.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1342065 13f79535-47bb-0310-9956-ffa450edef68
-rw-r--r-- | CHANGES | 4 | ||||
-rw-r--r-- | Makefile.in | 15 | ||||
-rw-r--r-- | configure.in | 9 | ||||
-rw-r--r-- | docs/manual/suexec.html.en | 15 | ||||
-rw-r--r-- | modules/arch/unix/mod_unixd.c | 9 |
5 files changed, 49 insertions, 3 deletions
@@ -1,6 +1,10 @@ -*- coding: utf-8 -*- Changes with Apache 2.5.0 + *) suexec: Add --enable-suexec-capabilites support on Linux, to use + setuid/setgid capability bits rather than a setuid root binary. + [Joe Orton] + *) suexec: Add support for logging to syslog as an alternative to logging to a file; use --without-suexec-logfile --with-suexec-syslog. [Joe Orton] diff --git a/Makefile.in b/Makefile.in index 31a59fc131..ad71290a58 100644 --- a/Makefile.in +++ b/Makefile.in @@ -233,11 +233,22 @@ install-man: cd $(DESTDIR)$(manualdir) && find . -name ".svn" -type d -print | xargs rm -rf 2>/dev/null || true; \ fi -install-suexec: +install-suexec: install-suexec-binary install-suexec-$(INSTALL_SUEXEC) + +install-suexec-binary: @if test -f $(builddir)/support/suexec; then \ test -d $(DESTDIR)$(sbindir) || $(MKINSTALLDIRS) $(DESTDIR)$(sbindir); \ $(INSTALL_PROGRAM) $(top_builddir)/support/suexec $(DESTDIR)$(sbindir); \ - chmod 4755 $(DESTDIR)$(sbindir)/suexec; \ + fi + +install-suexec-setuid: + @if test -f $(builddir)/support/suexec; then \ + chmod 4755 $(DESTDIR)$(sbindir)/suexec; \ + fi + +install-suexec-caps: + @if test -f $(builddir)/support/suexec; then \ + setcap 'cap_setuid,cap_setgid+pe' $(DESTDIR)$(sbindir)/suexec; \ fi suexec: diff --git a/configure.in b/configure.in index e76dc640b6..19ebd887d6 100644 --- a/configure.in +++ b/configure.in @@ -738,6 +738,15 @@ AC_ARG_WITH(suexec-umask, APACHE_HELP_STRING(--with-suexec-umask,umask for suexec'd process),[ AC_DEFINE_UNQUOTED(AP_SUEXEC_UMASK, 0$withval, [umask for suexec'd process] ) ] ) +INSTALL_SUEXEC=setuid +AC_ARG_ENABLE([suexec-capabilities], +APACHE_HELP_STRING(--enable-suexec-capabilities,Use Linux capability bits not setuid root suexec), [ +INSTALL_SUEXEC=caps +AC_DEFINE(AP_SUEXEC_CAPABILITIES, 1, + [Enable if suexec is installed with Linux capabilities, not setuid]) +]) +APACHE_SUBST(INSTALL_SUEXEC) + dnl APR should go after the other libs, so the right symbols can be picked up if test x${apu_found} != xobsolete; then AP_LIBS="$AP_LIBS `$apu_config --avoid-ldap --link-libtool --libs`" diff --git a/docs/manual/suexec.html.en b/docs/manual/suexec.html.en index bec41dfa1e..a34c13f04d 100644 --- a/docs/manual/suexec.html.en +++ b/docs/manual/suexec.html.en @@ -372,6 +372,21 @@ together with the <code>--enable-suexec</code> option to let APACI accept your request for using the suEXEC feature.</dd> + <dt><code>--enable-suexec-capabilities</code></dt> + + <dd><strong>Linux specific:</strong> Normally, + the <code>suexec</code> binary is installed "setuid/setgid + root", which allows it to run with the full privileges of the + root user. If this option is used, the <code>suexec</code> + binary will instead be installed with only the setuid/setgid + "capability" bits set, which is the subset of full root + priviliges required for suexec operation. Note that + the <code>suexec</code> binary may not be able to write to a log + file in this mode; it is recommended that the + <code>--with-suexec-syslog --without-suexec-logfile</code> + options are used in conjunction with this mode, so that syslog + logging is used instead.</dd> + <dt><code>--with-suexec-bin=<em>PATH</em></code></dt> <dd>The path to the <code>suexec</code> binary must be hard-coded diff --git a/modules/arch/unix/mod_unixd.c b/modules/arch/unix/mod_unixd.c index f6e9500736..1baa278c3f 100644 --- a/modules/arch/unix/mod_unixd.c +++ b/modules/arch/unix/mod_unixd.c @@ -284,6 +284,13 @@ unixd_set_suexec(cmd_parms *cmd, void *dummy, int arg) return NULL; } +#ifdef AP_SUEXEC_CAPABILITIES +/* If suexec is using capabilities, don't test for the setuid bit. */ +#define SETUID_TEST(finfo) (1) +#else +#define SETUID_TEST(finfo) (finfo.protection & APR_USETID) +#endif + static int unixd_pre_config(apr_pool_t *pconf, apr_pool_t *plog, apr_pool_t *ptemp) @@ -300,7 +307,7 @@ unixd_pre_config(apr_pool_t *pconf, apr_pool_t *plog, ap_unixd_config.suexec_enabled = 0; if ((apr_stat(&wrapper, SUEXEC_BIN, APR_FINFO_NORM, ptemp)) == APR_SUCCESS) { - if ((wrapper.protection & APR_USETID) && wrapper.user == 0 + if (SETUID_TEST(wrapper) && wrapper.user == 0 && (access(SUEXEC_BIN, R_OK|X_OK) == 0)) { ap_unixd_config.suexec_enabled = 1; ap_unixd_config.suexec_disabled_reason = ""; |