suexec: Support use of setgid/setuid capability bits on Linux, a

weaker set of privileges than the full setuid/setgid root binary.

* configure.in: Add --enable-suexec-capabilites flag.

* Makefile.in: If configured, use setcap instead of chmod 7555 on
  installed suexec binary.

* modules/arch/unix/mod_unixd.c (unixd_pre_config): Drop test for
  setuid bit if capability bits are used.

* docs/manual/: Add docs.


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1342065 13f79535-47bb-0310-9956-ffa450edef68

1 files changed, 13 insertions, 2 deletions

diff --git a/Makefile.in b/Makefile.in
index 31a59fc131..ad71290a58 100644
--- a/Makefile.in
+++ b/Makefile.in
@@ -233,11 +233,22 @@ install-man:
 	  cd $(DESTDIR)$(manualdir) && find . -name ".svn" -type d -print | xargs rm -rf 2>/dev/null || true; \
 	fi
 
-install-suexec:
+install-suexec: install-suexec-binary install-suexec-$(INSTALL_SUEXEC)
+
+install-suexec-binary:
 	@if test -f $(builddir)/support/suexec; then \
             test -d $(DESTDIR)$(sbindir) || $(MKINSTALLDIRS) $(DESTDIR)$(sbindir); \
             $(INSTALL_PROGRAM) $(top_builddir)/support/suexec $(DESTDIR)$(sbindir); \
-            chmod 4755 $(DESTDIR)$(sbindir)/suexec; \
+	fi
+
+install-suexec-setuid:
+	@if test -f $(builddir)/support/suexec; then \
+	    chmod 4755 $(DESTDIR)$(sbindir)/suexec; \
+	fi
+
+install-suexec-caps:
+	@if test -f $(builddir)/support/suexec; then \
+            setcap 'cap_setuid,cap_setgid+pe' $(DESTDIR)$(sbindir)/suexec; \
 	fi
 
 suexec: