|
|
1ef406 |
From 7c08aa9b0aa10f4d13e7317c9a7353399188dba4 Mon Sep 17 00:00:00 2001
|
|
|
1ef406 |
From: Rob Crittenden <rcritten@redhat.com>
|
|
|
1ef406 |
Date: Wed, 21 Sep 2016 13:45:25 -0400
|
|
|
1ef406 |
Subject: [PATCH] Enhance checking on NSS database permissions to include
|
|
|
1ef406 |
directory
|
|
|
1ef406 |
|
|
|
1ef406 |
Previously I was checking the NSS database files for readability
|
|
|
1ef406 |
but not the database directory itself. Since it starts as root if
|
|
|
1ef406 |
the directory permissions didn't allow read by the Apache user but
|
|
|
1ef406 |
the files themselves did then startup would continue but blow
|
|
|
1ef406 |
up due to the inability to chdir into the directory.
|
|
|
1ef406 |
|
|
|
1ef406 |
BZ #1312583
|
|
|
1ef406 |
---
|
|
|
1ef406 |
nss_engine_init.c | 25 ++++++++++++++++---------
|
|
|
1ef406 |
1 file changed, 16 insertions(+), 9 deletions(-)
|
|
|
1ef406 |
|
|
|
1ef406 |
diff --git a/nss_engine_init.c b/nss_engine_init.c
|
|
|
1ef406 |
index cd71989..03ac644 100644
|
|
|
1ef406 |
--- a/nss_engine_init.c
|
|
|
1ef406 |
+++ b/nss_engine_init.c
|
|
|
1ef406 |
@@ -51,8 +51,7 @@ static char *version_components[] = {
|
|
|
1ef406 |
NULL
|
|
|
1ef406 |
};
|
|
|
1ef406 |
|
|
|
1ef406 |
-/* See if a uid or gid can read a file at a given path. Ignore world
|
|
|
1ef406 |
- * read permissions.
|
|
|
1ef406 |
+/* See if a uid or gid can read a file at a given path.
|
|
|
1ef406 |
*
|
|
|
1ef406 |
* Return 0 on failure or file doesn't exist
|
|
|
1ef406 |
* Return 1 on success
|
|
|
1ef406 |
@@ -65,14 +64,14 @@ static int check_path(uid_t uid, gid_t gid, char *filepath, apr_pool_t *p)
|
|
|
1ef406 |
if ((rv = apr_stat(&finfo, filepath, APR_FINFO_PROT | APR_FINFO_OWNER,
|
|
|
1ef406 |
p)) == APR_SUCCESS) {
|
|
|
1ef406 |
if (((uid == finfo.user) &&
|
|
|
1ef406 |
- ((finfo.protection & APR_FPROT_UREAD))) ||
|
|
|
1ef406 |
+ (finfo.protection & APR_FPROT_UREAD)) ||
|
|
|
1ef406 |
((gid == finfo.group) &&
|
|
|
1ef406 |
- ((finfo.protection & APR_FPROT_GREAD)))
|
|
|
1ef406 |
+ (finfo.protection & APR_FPROT_GREAD)) ||
|
|
|
1ef406 |
+ (finfo.protection & APR_FPROT_WREAD)
|
|
|
1ef406 |
)
|
|
|
1ef406 |
{
|
|
|
1ef406 |
return 1;
|
|
|
1ef406 |
}
|
|
|
1ef406 |
- return 0;
|
|
|
1ef406 |
}
|
|
|
1ef406 |
return 0;
|
|
|
1ef406 |
}
|
|
|
1ef406 |
@@ -158,6 +157,11 @@ static void nss_init_SSLLibrary(server_rec *base_server, apr_pool_t *p)
|
|
|
1ef406 |
}
|
|
|
1ef406 |
}
|
|
|
1ef406 |
|
|
|
1ef406 |
+ if (strncasecmp(mc->pCertificateDatabase, "sql:", 4) == 0)
|
|
|
1ef406 |
+ dbdir = (char *)mc->pCertificateDatabase + 4;
|
|
|
1ef406 |
+ else
|
|
|
1ef406 |
+ dbdir = (char *)mc->pCertificateDatabase;
|
|
|
1ef406 |
+
|
|
|
1ef406 |
/* Assuming everything is ok so far, check the cert database permissions
|
|
|
1ef406 |
* for the server user before Apache starts forking. We die now or
|
|
|
1ef406 |
* get stuck in an endless loop not able to read the NSS database.
|
|
|
1ef406 |
@@ -172,6 +176,13 @@ static void nss_init_SSLLibrary(server_rec *base_server, apr_pool_t *p)
|
|
|
1ef406 |
"Checking permissions for user %s: uid %d gid %d",
|
|
|
1ef406 |
mc->user, pw->pw_uid, pw->pw_gid);
|
|
|
1ef406 |
|
|
|
1ef406 |
+ if (!(check_path(pw->pw_uid, pw->pw_gid, dbdir, p))) {
|
|
|
1ef406 |
+ ap_log_error(APLOG_MARK, APLOG_ERR, 0, base_server,
|
|
|
1ef406 |
+ "Server user %s lacks read access to NSS "
|
|
|
1ef406 |
+ "database directory %s.", mc->user, dbdir);
|
|
|
1ef406 |
+ nss_die();
|
|
|
1ef406 |
+ }
|
|
|
1ef406 |
+
|
|
|
1ef406 |
if (strncasecmp(mc->pCertificateDatabase, "sql:", 4) == 0) {
|
|
|
1ef406 |
apr_snprintf(filepath, 1024, "%s/key4.db",
|
|
|
1ef406 |
mc->pCertificateDatabase+4);
|
|
|
1ef406 |
@@ -231,10 +242,6 @@ static void nss_init_SSLLibrary(server_rec *base_server, apr_pool_t *p)
|
|
|
1ef406 |
else
|
|
|
1ef406 |
return;
|
|
|
1ef406 |
}
|
|
|
1ef406 |
- if (strncasecmp(mc->pCertificateDatabase, "sql:", 4) == 0)
|
|
|
1ef406 |
- dbdir = (char *)mc->pCertificateDatabase + 4;
|
|
|
1ef406 |
- else
|
|
|
1ef406 |
- dbdir = (char *)mc->pCertificateDatabase;
|
|
|
1ef406 |
if (chdir(dbdir) != 0) {
|
|
|
1ef406 |
ap_log_error(APLOG_MARK, APLOG_ERR, 0, base_server,
|
|
|
1ef406 |
"Unable to change directory to %s", mc->pCertificateDatabase);
|
|
|
1ef406 |
--
|
|
|
1ef406 |
2.5.5
|
|
|
1ef406 |
|