# Fedora 5, 6, and 7 versions includes SELinux policy module package
# Fedora 8 and 9 versions include policy in errata selinux-policy releases
# Fedora 10 onwards include policy in standard selinux-policy releases
# RHEL 5.5 onwards include policy in standard selinux-policy releases
%if 0%{?fedora} < 5 || 0%{?fedora} > 7 || 0%{?rhel}
%global selinux_module 0
%global selinux_types %{nil}
%global selinux_variants %{nil}
%global selinux_buildreqs %{nil}
%else
%global selinux_module 1
%global selinux_types %(awk '/^#[[:space:]]*SELINUXTYPE=/,/^[^#]/ { if ($3 == "-") printf "%s ", $2 }' /etc/selinux/config 2>/dev/null)
%global selinux_variants %([ -z "%{selinux_types}" ] && echo mls strict targeted || echo %{selinux_types})
%global selinux_buildreqs checkpolicy, selinux-policy-devel, hardlink
%endif
# apxs script location
%{!?_httpd_apxs: %global _httpd_apxs %{_sbindir}/apxs}
# Module Magic Number
%{!?_httpd_mmn: %global _httpd_mmn %(cat %{_includedir}/httpd/.mmn 2>/dev/null || echo missing-httpd-devel)}
# Configuration directory
%{!?_httpd_confdir: %global _httpd_confdir %{_sysconfdir}/httpd/conf.d}
# For httpd ≥ 2.4 we have a different filesystem layout
%if 0%{?fedora} > 17 || 0%{?rhel} > 6
%global httpd24 1
%global rundir /run
%else
%global httpd24 0
%global rundir %{_localstatedir}/run
%endif
Name: mod_fcgid
Version: 2.3.9
Release: 6%{?dist}
Summary: FastCGI interface module for Apache 2
Group: System Environment/Daemons
License: ASL 2.0
URL: http://httpd.apache.org/mod_fcgid/
Source0: http://www.apache.org/dist/httpd/mod_fcgid/mod_fcgid-%{version}.tar.bz2
Source1: fcgid.conf
Source2: mod_fcgid-2.1-README.RPM
Source3: mod_fcgid-2.1-README.SELinux
Source4: mod_fcgid-tmpfs.conf
Source5: fcgid24.conf
Source10: fastcgi.te
Source11: fastcgi-2.5.te
Source12: fastcgi.fc
Patch0: mod_fcgid-2.3.4-fixconf-shellbang.patch
Patch1: mod_fcgid-2.3.9-segfault-upload.patch
Patch2: mod_fcgid-2.3.9-r1848298.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(id -nu)
BuildRequires: httpd-devel >= 2.0, pkgconfig
Requires: httpd-mmn = %{_httpd_mmn}
# sed required for fixconf script
Requires: /bin/sed
# systemd-units needed for ownership of /usr/lib/tmpfiles.d directory
%if 0%{?fedora} > 14 || 0%{?rhel} > 6
Requires: systemd-units
%endif
# Make sure that selinux-policy is sufficiently up-to-date if it's installed
# FastCGI policy properly incorporated into EL 5.5
%if "%{?rhel}" == "5"
Conflicts: selinux-policy < 2.4.6-279.el5
# No provide here because selinux-policy >= 2.4.6-279.el5 does the providing
Obsoletes: mod_fcgid-selinux <= %{version}-%{release}
%endif
%if "%{?fedora}" == "8"
Conflicts: selinux-policy < 3.0.8-123.fc8
%endif
%if "%{?fedora}" == "9"
Conflicts: selinux-policy < 3.3.1-107.fc9
%endif
%if "%{?fedora}" == "10"
Conflicts: selinux-policy < 3.5.13-8.fc10
%endif
%description
mod_fcgid is a binary-compatible alternative to the Apache module mod_fastcgi.
mod_fcgid has a new process management strategy, which concentrates on reducing
the number of fastcgi servers, and kicking out corrupt fastcgi servers as soon
as possible.
%if %{selinux_module}
%package selinux
Summary: SELinux policy module supporting FastCGI applications with mod_fcgid
Group: System Environment/Base
BuildRequires: %{selinux_buildreqs}
# selinux-policy is required for directory ownership of %%{_datadir}/selinux/*
#
# version requirement is a hack to avoid problems mixing new modules with older policy,
# e.g. http://www.redhat.com/archives/fedora-selinux-list/2006-May/msg00102.html
# _selinux_policy_version introduced in F-20 (#999584), but can be emulated by
# pulling the policy version number from the policyhelp file on older distributions
%{!?_selinux_policy_version: %global _selinux_policy_version %(sed -e 's,.*selinux-policy-\\([^/]*\\)/.*,\\1,' /usr/share/selinux/devel/policyhelp 2>/dev/null || echo 0.0.0)}
%global selinux_policynum %(echo %{_selinux_policy_version} | awk -F. '{ printf "%d%02d%02d", $1, $2, $3 }')
Requires: selinux-policy >= %{_selinux_policy_version}
Requires: %{name} = %{version}-%{release}
Requires(post): /usr/sbin/semodule, /sbin/restorecon
Requires(postun): /usr/sbin/semodule, /sbin/restorecon
%description selinux
SELinux policy module supporting FastCGI applications with mod_fcgid.
%endif
%prep
%setup -q
cp -p %{SOURCE1} fcgid.conf
cp -p %{SOURCE2} README.RPM
cp -p %{SOURCE3} README.SELinux
cp -p %{SOURCE5} fcgid24.conf
%if 0%{?selinux_policynum} < 20501
cp -p %{SOURCE10} fastcgi.te
%else
cp -p %{SOURCE11} fastcgi.te
%endif
cp -p %{SOURCE12} fastcgi.fc
# Fix shellbang in fixconf script for our location of sed
%patch0 -p1
%patch1 -p1 -b .segfault_upload
%patch2 -p1 -b .r1848298
%build
APXS=%{_httpd_apxs} ./configure.apxs
make
%if %{selinux_module}
for selinuxvariant in %{selinux_variants}
do
make NAME=${selinuxvariant} -f /usr/share/selinux/devel/Makefile
mv fastcgi.pp fastcgi.pp.${selinuxvariant}
make NAME=${selinuxvariant} -f /usr/share/selinux/devel/Makefile clean
done
%endif
%install
rm -rf %{buildroot}
make DESTDIR=%{buildroot} MKINSTALLDIRS="mkdir -p" install
%if %{httpd24}
mkdir -p %{buildroot}{%{_httpd_confdir},%{_httpd_modconfdir}}
echo "LoadModule fcgid_module modules/mod_fcgid.so" > %{buildroot}%{_httpd_modconfdir}/10-fcgid.conf
install -D -m 644 fcgid24.conf %{buildroot}%{_httpd_confdir}/fcgid.conf
%else
install -D -m 644 fcgid.conf %{buildroot}%{_httpd_confdir}/fcgid.conf
%endif
install -d -m 755 %{buildroot}%{rundir}/mod_fcgid
# Include the manual as %%doc, don't need it elsewhere
%if %{httpd24}
rm -rf %{buildroot}%{_httpd_contentdir}/manual
%else
rm -rf %{buildroot}%{_var}/www/manual
%endif
# Make sure %%{rundir}/mod_fcgid exists at boot time for systems
# with %%{rundir} on tmpfs (#656625)
%if 0%{?fedora} > 14 || 0%{?rhel} > 6
install -d -m 755 %{buildroot}%{_prefix}/lib/tmpfiles.d
install -p -m 644 %{SOURCE4} %{buildroot}%{_prefix}/lib/tmpfiles.d/mod_fcgid.conf
%endif
# Install SELinux policy modules
%if %{selinux_module}
for selinuxvariant in %{selinux_variants}
do
install -d %{buildroot}%{_datadir}/selinux/${selinuxvariant}
install -p -m 644 fastcgi.pp.${selinuxvariant} \
%{buildroot}%{_datadir}/selinux/${selinuxvariant}/fastcgi.pp
done
# Hardlink identical policy module packages together
hardlink -cv %{buildroot}%{_datadir}/selinux
%endif
%clean
rm -rf %{buildroot}
%if %{selinux_module}
%post selinux
# Install SELinux policy modules
for selinuxvariant in %{selinux_variants}
do
/usr/sbin/semodule -s ${selinuxvariant} -i \
%{_datadir}/selinux/${selinuxvariant}/fastcgi.pp &> /dev/null || :
done
# Fix up non-standard directory context from earlier packages
/sbin/restorecon -R %{rundir}/mod_fcgid || :
%postun selinux
# Clean up after package removal
if [ $1 -eq 0 ]; then
# Remove SELinux policy modules
for selinuxvariant in %{selinux_variants}; do
/usr/sbin/semodule -s ${selinuxvariant} -r fastcgi &> /dev/null || :
done
# Clean up any remaining file contexts (shouldn't be any really)
[ -d %{rundir}/mod_fcgid ] && \
/sbin/restorecon -R %{rundir}/mod_fcgid &> /dev/null || :
fi
exit 0
%endif
%files
%defattr(-,root,root,-)
# mod_fcgid.html.en is explicitly encoded as ISO-8859-1
%doc CHANGES-FCGID LICENSE-FCGID NOTICE-FCGID README-FCGID STATUS-FCGID
%doc docs/manual/mod/mod_fcgid.html.en modules/fcgid/ChangeLog
%doc build/fixconf.sed
%{_libdir}/httpd/modules/mod_fcgid.so
%if %{httpd24}
%config(noreplace) %{_httpd_modconfdir}/10-fcgid.conf
%endif
%config(noreplace) %{_httpd_confdir}/fcgid.conf
%if 0%{?fedora} > 14 || 0%{?rhel} > 6
%{_prefix}/lib/tmpfiles.d/mod_fcgid.conf
%endif
%dir %attr(0755,apache,apache) %{rundir}/mod_fcgid/
%if %{selinux_module}
%files selinux
%defattr(-,root,root,-)
%doc fastcgi.fc fastcgi.te README.SELinux
%{_datadir}/selinux/*/fastcgi.pp
%endif
%changelog
* Thu Dec 6 2018 Joe Orton <jorton@redhat.com> - 2.3.9-6
- fix handling of chunked request bodies (#1652493)
* Mon Sep 04 2017 Luboš Uhliarik <luhliari@redhat.com> - 2.3.9-5
- Resolves: #1486653 - mod_fcgid cause Segmentation fault error while doing
large file uploads over HTTPS
* Fri Jan 24 2014 Daniel Mach <dmach@redhat.com> - 2.3.9-4
- Mass rebuild 2014-01-24
* Mon Jan 13 2014 Joe Orton <jorton@redhat.com> - 2.3.9-3
- rebuild for #1029360
* Fri Dec 27 2013 Daniel Mach <dmach@redhat.com> - 2.3.9-2
- Mass rebuild 2013-12-27
* Tue Oct 8 2013 Paul Howarth <paul@city-fan.org> 2.3.9-1
- Update to 2.3.9
- SECURITY: Fix possible heap buffer overwrite (CVE-2013-4365)
- Add experimental cmake-based build system for Windows
- Correctly parse quotation and escaped spaces in FcgidWrapper and the AAA
Authenticator/Authorizor/Access directives' command line argument, as
currently documented (PR#51194)
- Honor quoted FcgidCmdOptions arguments (notably for InitialEnv
assignments) (PR#51657)
- Conform script response parsing with mod_cgid and ensure no response body
is sent when ap_meets_conditions() determines that request conditions are
met
- Improve logging in access control hook functions
- Avoid making internal sub-requests and processing Location headers when in
FCGI_AUTHORIZER mode, as the auth hook functions already treat Location
headers returned by scripts as an error since redirections are not
meaningful in this mode
- Revert fix for PR#53693, added in 2.3.8 but undocumented
- Fix issues with a minor optimization added in 2.3.8
* Thu Feb 14 2013 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> 2.3.7-6
- Rebuilt for https://fedoraproject.org/wiki/Fedora_19_Mass_Rebuild
* Fri Jul 20 2012 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> 2.3.7-5
- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild
* Wed Jul 4 2012 Paul Howarth <paul@city-fan.org> 2.3.7-4
- Move tmpfiles.d config from %%{_sysconfdir} to %%{_prefix}/lib
* Wed May 2 2012 Paul Howarth <paul@city-fan.org> 2.3.7-3
- Make %%files list more explicit
* Wed May 2 2012 Joe Orton <jorton@redhat.com> 2.3.7-2
- Use 10- prefix for conf file in conf.modules.d with httpd ≥ 2.4
- Use _httpd_confdir throughout
* Mon Apr 23 2012 Paul Howarth <paul@city-fan.org> 2.3.7-1
- Update to 2.3.7
- Introduce FcgidWin32PreventOrphans directive on Windows to use OS Job
Control Objects to terminate all running fcgi's when the worker process
has been abruptly terminated (PR: 51078)
- Periodically clean out the brigades that are pulling in the request body
for handoff to the fcgid child (PR: 51749)
- Resolve crash during graceful restarts (PR: 50309)
- Solve latency/congestion of resolving effective user file access rights
when no such info is desired, for config-related filename stats (PR: 51020)
- Fix regression in 2.3.6 that broke process controls when using
vhost-specific configuration
- Account for first process in class in the spawn score
- Drop patch for CVE-2012-1181, now included in upstream release
* Tue Mar 27 2012 Paul Howarth <paul@city-fan.org> 2.3.6-6
- Fix compatibility with httpd 2.4 in F-18/RHEL-7 onwards
- Use /run rather than /var/run from F-15/RHEL-7 onwards
* Sun Jan 22 2012 Paul Howarth <paul@city-fan.org> 2.3.6-5
- Fix regression in 2.3.6 that broke process controls when using vhost-specific
configuration (upstream issue 49902, #783742, CVE-2012-1181)
* Fri Jan 6 2012 Paul Howarth <paul@city-fan.org> 2.3.6-4
- Nobody else likes macros for commands
* Tue Feb 8 2011 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> 2.3.6-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild
* Wed Dec 1 2010 Paul Howarth <paul@city-fan.org> 2.3.6-2
- Add /etc/tmpfiles.d/mod_fcgid.conf for builds on Fedora 15 onwards to
support running with /var/run on tmpfs (#656625)
* Thu Nov 4 2010 Paul Howarth <paul@city-fan.org> 2.3.6-1
- Update to 2.3.6 (see CHANGES-FCGID for full details)
- Fix possible stack buffer overwrite (CVE-2010-3872)
- Change the default for FcgidMaxRequestLen from 1GB to 128K; administrators
should change this to an appropriate value based on site requirements
- Correct a problem that resulted in FcgidMaxProcesses being ignored in some
situations
- Return 500 instead of segfaulting when the application returns no output
- Don't include SELinux policy for RHEL-5 builds since RHEL >= 5.5 includes it
- Explicitly require /bin/sed for fixconf script
* Tue Jun 8 2010 Paul Howarth <paul@city-fan.org> 2.3.5-2
- SELinux policy module not needed for RHEL-6 onwards
* Wed Jan 27 2010 Paul Howarth <paul@city-fan.org> 2.3.5-1
- Update to 2.3.5 (see CHANGES-FCGID for details)
- Drop upstream svn patch
* Wed Oct 21 2009 Paul Howarth <paul@city-fan.org> 2.3.4-2
- Add fixes from upstream svn for a number of issues, most notably that the
fixconf script had an error in the regexp, which resulted in a prefix of
"FcgidFcgid" on the updated directives
* Mon Oct 12 2009 Paul Howarth <paul@city-fan.org> 2.3.4-1
- Update to 2.3.4 (configuration directives changed again)
- Add fixconf.sed script for config file directives update
* Fri Sep 25 2009 Paul Howarth <paul@city-fan.org> 2.3.1-2.20090925svn818270
- Update to svn revision 818270
- DESTDIR and header detection patches upstreamed
- Build SELinux policy module for EL-5; support in EL-5.3 is incomplete and
will be fixed in EL-5.5 (#519369)
- Drop aliases httpd_sys_content_r{a,o,w}_t -> httpd_fastcgi_content_r{a,o,w}_t
from pre-2.5 SElinux policy module as these types aren't defined there
* Wed Sep 23 2009 Paul Howarth <paul@city-fan.org> 2.3.1-1.20090923svn817978
- Update to post-2.3.1 svn snapshot
- Upstream moved to apache.org
- License changed to ASL 2.0
- Use FCGID-prefixed config file options (old ones deprecated)
- Lots of documentation changes
- Renumber sources
- Don't defer to mod_fastcgi if both are present
- Drop gawk buildreq
- Add patches fixing RPM build issues (DESTDIR support, header detection)
* Sat Jul 25 2009 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2.2-13
- Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild
* Tue May 26 2009 Paul Howarth <paul@city-fan.org> 2.2-12
- Don't use /etc/httpd/run as basis of "run" directory as its DAC permissions
are not permissive enough in F-11 onwards; instead, revert to
/var/run/mod_fcgid and tweak default config accordingly (#502273)
* Sun May 17 2009 Paul Howarth <paul@city-fan.org> 2.2-11
- Follow link /etc/httpd/run and make our "run" directory a subdir of wherever
that leads (#501123)
* Mon Apr 6 2009 Paul Howarth <paul@city-fan.org> 2.2-10
- EL 5.3 now has SELinux support in the main selinux-policy package so handle
that release as per Fedora >= 8, except that the RHEL selinux-policy package
doesn't Obsolete/Provide mod_fcgid-selinux like the Fedora version, so do
the obsoletion here instead
* Thu Feb 26 2009 Paul Howarth <paul@city-fan.org> 2.2-9
- Update documentation for MoinMoin, Rails (#476658), and SELinux
* Wed Feb 25 2009 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2.2-8
- Rebuilt for https://fedoraproject.org/wiki/Fedora_11_Mass_Rebuild
* Wed Nov 12 2008 Paul Howarth <paul@city-fan.org> 2.2-7
- SELinux policy module no longer built for Fedora 8 onwards as it is
obsoleted by the main selinux-policy package
- Conflicts for selinux-policy packages older than the releases where mod_fcgid
policy was incorporated have been added for Fedora 8, 9, and 10 versions, to
ensure that SELinux support will work if installed
* Tue Oct 21 2008 Paul Howarth <paul@city-fan.org> 2.2-6
- SELinux policy module rewritten to merge fastcgi and system script domains
in preparation for merge into main selinux-policy package (#462318)
- Try to determine supported SELinux policy types by reading /etc/selinux/config
* Thu Jul 24 2008 Paul Howarth <paul@city-fan.org> 2.2-5
- Tweak selinux-policy version detection macro to work with current Rawhide
* Thu Feb 14 2008 Paul Howarth <paul@city-fan.org> 2.2-4
- Rebuild with gcc 4.3.0 for Fedora 9
* Mon Jan 14 2008 Paul Howarth <paul@city-fan.org> 2.2-3
- Update SELinux policy to fix occasional failures on restarts
(move shared memory file into /var/run/mod_fcgid directory)
* Thu Jan 3 2008 Paul Howarth <paul@city-fan.org> 2.2-2
- Update SELinux policy to support file transition to httpd_tmp_t for
temporary files
* Fri Sep 14 2007 Paul Howarth <paul@city-fan.org> 2.2-1
- Update to version 2.2
- Make sure docs are encoded as UTF-8
* Mon Sep 3 2007 Joe Orton <jorton@redhat.com> 2.1-6
- rebuild for fixed 32-bit APR (#254241)
* Thu Aug 23 2007 Paul Howarth <paul@city-fan.org> 2.1-5
- Update source URL to point to downloads.sf.net rather than dl.sf.net
- Upstream released new tarball without changing version number, though the
only change was in arch/win32/fcgid_pm_win.c, which is not used to build the
RPM package
- Clarify license as GPL (unspecified/any version)
- Unexpand tabs in spec
- Add buildreq of gawk
* Fri Aug 3 2007 Paul Howarth <paul@city-fan.org> 2.1-4
- Add buildreq of pkgconfig, a missing dependency of both apr-devel and
apr-util-devel on FC5
* Fri Jun 15 2007 Paul Howarth <paul@city-fan.org> 2.1-3
- Major update of SELinux policy, supporting accessing data on NFS/CIFS shares
and a new boolean, httpd_fastcgi_can_sendmail, to allow connections to SMTP
servers
- Fix for SELinux policy on Fedora 7, which didn't work due to changes in the
permissions macros in the underlying selinux-policy package
* Wed Mar 21 2007 Paul Howarth <paul@city-fan.org> 2.1-2
- Add RHEL5 with SELinux support
- Rename README.Fedora to README.RPM
* Fri Feb 16 2007 Paul Howarth <paul@city-fan.org> 2.1-1
- Update to 2.1
- Update documentation and patches
- Rename some source files to reduce chances of conflicting names
- Include SharememPath directive in conf file to avoid unfortunate upstream
default location
* Mon Oct 30 2006 Paul Howarth <paul@city-fan.org> 2.0-1
- Update to 2.0
- Source is now hosted at sourceforge.net
- Update docs
* Wed Sep 6 2006 Paul Howarth <paul@city-fan.org> 1.10-7
- Include the right README* files
* Tue Aug 29 2006 Paul Howarth <paul@city-fan.org> 1.10-6
- Buildreqs for FC5 now identical to buildreqs for FC6 onwards
* Fri Jul 28 2006 Paul Howarth <paul@city-fan.org> 1.10-5
- Split off SELinux module into separate subpackage to avoid dependency on
the selinux-policy package for the main package
* Fri Jul 28 2006 Paul Howarth <paul@city-fan.org> 1.10-4
- SELinux policy packages moved from %%{_datadir}/selinux/packages/POLICYNAME
to %%{_datadir}/selinux/POLICYNAME
- hardlink identical policy module packages together to avoid duplicate files
* Thu Jul 20 2006 Paul Howarth <paul@city-fan.org> 1.10-3
- Adjust buildreqs for FC6 onwards
- Figure out where top_dir is dynamically since the /etc/httpd/build
symlink is gone in FC6
* Wed Jul 5 2006 Paul Howarth <paul@city-fan.org> 1.10-2
- SELinux policy update: allow FastCGI apps to do DNS lookups
* Tue Jul 4 2006 Paul Howarth <paul@city-fan.org> 1.10-1
- Update to 1.10
- Expand tabs to shut rpmlint up
* Tue Jul 4 2006 Paul Howarth <paul@city-fan.org> 1.09-10
- SELinux policy update:
* allow httpd to read httpd_fastcgi_content_t without having the
| httpd_builtin_scripting boolean set
* allow httpd_fastcgi_script_t to read /etc/resolv.conf without
| having the httpd_can_network_connect boolean set
* Sun Jun 18 2006 Paul Howarth <paul@city-fan.org> 1.09-9
- Discard output of semodule in %%postun
- Include some documentation from upstream
* Fri Jun 9 2006 Paul Howarth <paul@city-fan.org> 1.09-8
- Change default context type for socket directory from var_run_t to
httpd_fastcgi_sock_t for better separation
* Thu Jun 8 2006 Paul Howarth <paul@city-fan.org> 1.09-7
- Add SELinux policy module and README.Fedora
- Conflict with selinux-policy versions older than what we're built on
* Mon May 15 2006 Paul Howarth <paul@city-fan.org> 1.09-6
- Instead of conflicting with mod_fastcgi, don't add the handler for .fcg etc.
if mod_fastcgi is present
* Fri May 12 2006 Paul Howarth <paul@city-fan.org> 1.09-5
- Use correct handler name in fcgid.conf
- Conflict with mod_fastcgi
- Create directory %%{_localstatedir}/run/mod_fcgid for sockets
* Thu May 11 2006 Paul Howarth <paul@city-fan.org> 1.09-4
- Cosmetic tweaks (personal preferences)
- Don't include INSTALL.TXT, nothing of use to end users
* Wed May 10 2006 Thomas Antony <thomas@antony.eu> 1.09-3
- Initial release