# ./pullrev.sh 1337344 1341905 1342065 1341930

suexec enhancements:

1) use syslog for logging

2) use capabilities not setuid/setgid root binary

http://svn.apache.org/viewvc?view=revision&revision=1337344

http://svn.apache.org/viewvc?view=revision&revision=1341905

http://svn.apache.org/viewvc?view=revision&revision=1342065

http://svn.apache.org/viewvc?view=revision&revision=1341930

--- httpd-2.4.4/configure.in.r1337344+

+++ httpd-2.4.4/configure.in

@@ -734,7 +734,24 @@ APACHE_HELP_STRING(--with-suexec-gidmin,

 AC_ARG_WITH(suexec-logfile,

 APACHE_HELP_STRING(--with-suexec-logfile,Set the logfile),[

-  AC_DEFINE_UNQUOTED(AP_LOG_EXEC, "$withval", [SuExec log file] ) ] )

+  if test "x$withval" = "xyes"; then

+    AC_DEFINE_UNQUOTED(AP_LOG_EXEC, "$withval", [SuExec log file])

+  fi

+])

+

+AC_ARG_WITH(suexec-syslog,

+APACHE_HELP_STRING(--with-suexec-syslog,Set the logfile),[

+  if test $withval = "yes"; then

+    if test "x${with_suexec_logfile}" != "xno"; then

+      AC_MSG_NOTICE([hint: use "--without-suexec-logfile --with-suexec-syslog"])

+      AC_MSG_ERROR([suexec does not support both logging to file and syslog])

+    fi

+    AC_CHECK_FUNCS([vsyslog], [], [

+       AC_MSG_ERROR([cannot support syslog from suexec without vsyslog()])])

+    AC_DEFINE(AP_LOG_SYSLOG, 1, [SuExec log to syslog])

+  fi    

+])

+

 AC_ARG_WITH(suexec-safepath,

 APACHE_HELP_STRING(--with-suexec-safepath,Set the safepath),[

@@ -744,6 +761,15 @@ AC_ARG_WITH(suexec-umask,

 APACHE_HELP_STRING(--with-suexec-umask,umask for suexec'd process),[

   AC_DEFINE_UNQUOTED(AP_SUEXEC_UMASK, 0$withval, [umask for suexec'd process] ) ] )

+INSTALL_SUEXEC=setuid

+AC_ARG_ENABLE([suexec-capabilities], 

+APACHE_HELP_STRING(--enable-suexec-capabilities,Use Linux capability bits not setuid root suexec), [

+INSTALL_SUEXEC=caps

+AC_DEFINE(AP_SUEXEC_CAPABILITIES, 1, 

+          [Enable if suexec is installed with Linux capabilities, not setuid])

+])

+APACHE_SUBST(INSTALL_SUEXEC)

+

 dnl APR should go after the other libs, so the right symbols can be picked up

 if test x${apu_found} != xobsolete; then

   AP_LIBS="$AP_LIBS `$apu_config --avoid-ldap --link-libtool`"

--- httpd-2.4.4/docs/manual/suexec.html.en.r1337344+

+++ httpd-2.4.4/docs/manual/suexec.html.en

@@ -372,6 +372,21 @@

       together with the --enable-suexec option to let

       APACI accept your request for using the suEXEC feature.

+      
--enable-suexec-capabilities

+

+      
Linux specific: Normally,

+      the suexec binary is installed "setuid/setgid

+      root", which allows it to run with the full privileges of the

+      root user.  If this option is used, the suexec

+      binary will instead be installed with only the setuid/setgid

+      "capability" bits set, which is the subset of full root

+      priviliges required for suexec operation.  Note that

+      the suexec binary may not be able to write to a log

+      file in this mode; it is recommended that the

+      --with-suexec-syslog --without-suexec-logfile

+      options are used in conjunction with this mode, so that syslog

+      logging is used instead.

+

       
--with-suexec-bin=PATH

       
The path to the suexec binary must be hard-coded

@@ -433,6 +448,12 @@

       "suexec_log" and located in your standard logfile

       directory (--logfiledir).

+      
--with-suexec-syslog

+

+      
If defined, suexec will log notices and errors to syslog

+      instead of a logfile.  This option must be combined

+      with --without-suexec-logfile.

+

       
--with-suexec-safepath=PATH

       
Define a safe PATH environment to pass to CGI

@@ -550,9 +571,12 @@ Group webgroup

     
The suEXEC wrapper will write log information

     to the file defined with the --with-suexec-logfile

-    option as indicated above. If you feel you have configured and

-    installed the wrapper properly, have a look at this log and the

-    error_log for the server to see where you may have gone astray.

+    option as indicated above, or to syslog if --with-suexec-syslog

+    is used. If you feel you have configured and

+    installed the wrapper properly, have a look at the log and the

+    error_log for the server to see where you may have gone astray. 

+    The output of "suexec -V" will show the options

+    used to compile suexec, if using a binary distribution.

@@ -640,4 +664,4 @@ if (typeof(prettyPrint) !== 'undefined')

     prettyPrint();

 }

 //--></script>

-</body></html>

\ No newline at end of file

+</body></html>

--- httpd-2.4.4/Makefile.in.r1337344+

+++ httpd-2.4.4/Makefile.in

@@ -238,11 +238,22 @@ install-man:

 	  cd $(DESTDIR)$(manualdir) && find . -name ".svn" -type d -print | xargs rm -rf 2>/dev/null || true; \

 	fi

-install-suexec:

+install-suexec: install-suexec-binary install-suexec-$(INSTALL_SUEXEC)

+

+install-suexec-binary:

 	@if test -f $(builddir)/support/suexec; then \

             test -d $(DESTDIR)$(sbindir) || $(MKINSTALLDIRS) $(DESTDIR)$(sbindir); \

             $(INSTALL_PROGRAM) $(top_builddir)/support/suexec $(DESTDIR)$(sbindir); \

-            chmod 4755 $(DESTDIR)$(sbindir)/suexec; \

+	fi

+

+install-suexec-setuid:

+	@if test -f $(builddir)/support/suexec; then \

+	    chmod 4755 $(DESTDIR)$(sbindir)/suexec; \

+	fi

+

+install-suexec-caps:

+	@if test -f $(builddir)/support/suexec; then \

+            setcap 'cap_setuid,cap_setgid+pe' $(DESTDIR)$(sbindir)/suexec; \

 	fi

 suexec:

--- httpd-2.4.4/modules/arch/unix/mod_unixd.c.r1337344+

+++ httpd-2.4.4/modules/arch/unix/mod_unixd.c

@@ -284,6 +284,13 @@ unixd_set_suexec(cmd_parms *cmd, void *d

     return NULL;

 }

+#ifdef AP_SUEXEC_CAPABILITIES

+/* If suexec is using capabilities, don't test for the setuid bit. */

+#define SETUID_TEST(finfo) (1)

+#else

+#define SETUID_TEST(finfo) (finfo.protection & APR_USETID)

+#endif

+

 static int

 unixd_pre_config(apr_pool_t *pconf, apr_pool_t *plog,

                  apr_pool_t *ptemp)

@@ -300,7 +307,7 @@ unixd_pre_config(apr_pool_t *pconf, apr_

     ap_unixd_config.suexec_enabled = 0;

     if ((apr_stat(&wrapper, SUEXEC_BIN, APR_FINFO_NORM, ptemp))

          == APR_SUCCESS) {

-        if ((wrapper.protection & APR_USETID) && wrapper.user == 0

+        if (SETUID_TEST(wrapper) && wrapper.user == 0

             && (access(SUEXEC_BIN, R_OK|X_OK) == 0)) {

             ap_unixd_config.suexec_enabled = 1;

             ap_unixd_config.suexec_disabled_reason = "";

--- httpd-2.4.4/support/suexec.c.r1337344+

+++ httpd-2.4.4/support/suexec.c

@@ -58,6 +58,10 @@

 #include <grp.h>

 #endif

+#ifdef AP_LOG_SYSLOG

+#include <syslog.h>

+#endif

+

 #if defined(PATH_MAX)

 #define AP_MAXPATH PATH_MAX

 #elif defined(MAXPATHLEN)

@@ -69,7 +73,20 @@

 #define AP_ENVBUF 256

 extern char **environ;

+

+#ifdef AP_LOG_SYSLOG

+/* Syslog support. */

+#if !defined(AP_LOG_FACILITY) && defined(LOG_AUTHPRIV)

+#define AP_LOG_FACILITY LOG_AUTHPRIV

+#elif !defined(AP_LOG_FACILITY)

+#define AP_LOG_FACILITY LOG_AUTH

+#endif

+

+static int log_open;

+#else

+/* Non-syslog support. */

 static FILE *log = NULL;

+#endif

 static const char *const safe_env_lst[] =

 {

@@ -137,7 +154,14 @@ static void err_output(int is_error, con

 static void err_output(int is_error, const char *fmt, va_list ap)

 {

-#ifdef AP_LOG_EXEC

+#if defined(AP_LOG_SYSLOG)

+    if (!log_open) {

+        openlog("suexec", LOG_PID, AP_LOG_FACILITY);

+        log_open = 1;

+    }

+

+    vsyslog(is_error ? LOG_ERR : LOG_INFO, fmt, ap);

+#elif defined(AP_LOG_EXEC)

     time_t timevar;

     struct tm *lt;

@@ -295,7 +319,9 @@ int main(int argc, char *argv[])

 #ifdef AP_HTTPD_USER

         fprintf(stderr, " -D AP_HTTPD_USER=\"%s\"\n", AP_HTTPD_USER);

 #endif

-#ifdef AP_LOG_EXEC

+#if defined(AP_LOG_SYSLOG)

+        fprintf(stderr, " -D AP_LOG_SYSLOG\n");

+#elif defined(AP_LOG_EXEC)

         fprintf(stderr, " -D AP_LOG_EXEC=\"%s\"\n", AP_LOG_EXEC);

 #endif

 #ifdef AP_SAFE_PATH

@@ -591,6 +617,12 @@ int main(int argc, char *argv[])

 #endif /* AP_SUEXEC_UMASK */

     /* Be sure to close the log file so the CGI can't mess with it. */

+#ifdef AP_LOG_SYSLOG

+    if (log_open) {

+        closelog();

+        log_open = 0;

+    }

+#else

     if (log != NULL) {

 #if APR_HAVE_FCNTL_H

         /*

@@ -612,6 +644,7 @@ int main(int argc, char *argv[])

         log = NULL;

 #endif

     }

+#endif

     /*

      * Execute the command, replacing our image with its own.