Blame SOURCES/mod_nss-certdb-permissions.patch

1ef406
From 7c08aa9b0aa10f4d13e7317c9a7353399188dba4 Mon Sep 17 00:00:00 2001
1ef406
From: Rob Crittenden <rcritten@redhat.com>
1ef406
Date: Wed, 21 Sep 2016 13:45:25 -0400
1ef406
Subject: [PATCH] Enhance checking on NSS database permissions to include
1ef406
 directory
1ef406
1ef406
Previously I was checking the NSS database files for readability
1ef406
but not the database directory itself. Since it starts as root if
1ef406
the directory permissions didn't allow read by the Apache user but
1ef406
the files themselves did then startup would continue but blow
1ef406
up due to the inability to chdir into the directory.
1ef406
1ef406
BZ #1312583
1ef406
---
1ef406
 nss_engine_init.c | 25 ++++++++++++++++---------
1ef406
 1 file changed, 16 insertions(+), 9 deletions(-)
1ef406
1ef406
diff --git a/nss_engine_init.c b/nss_engine_init.c
1ef406
index cd71989..03ac644 100644
1ef406
--- a/nss_engine_init.c
1ef406
+++ b/nss_engine_init.c
1ef406
@@ -51,8 +51,7 @@ static char *version_components[] = {
1ef406
     NULL
1ef406
 };
1ef406
 
1ef406
-/* See if a uid or gid can read a file at a given path. Ignore world
1ef406
- * read permissions.
1ef406
+/* See if a uid or gid can read a file at a given path.
1ef406
  *
1ef406
  * Return 0 on failure or file doesn't exist
1ef406
  * Return 1 on success
1ef406
@@ -65,14 +64,14 @@ static int check_path(uid_t uid, gid_t gid, char *filepath, apr_pool_t *p)
1ef406
     if ((rv = apr_stat(&finfo, filepath, APR_FINFO_PROT | APR_FINFO_OWNER,
1ef406
          p)) == APR_SUCCESS) {
1ef406
         if (((uid == finfo.user) &&
1ef406
-            ((finfo.protection & APR_FPROT_UREAD))) ||
1ef406
+            (finfo.protection & APR_FPROT_UREAD)) ||
1ef406
             ((gid == finfo.group) &&
1ef406
-                ((finfo.protection & APR_FPROT_GREAD)))
1ef406
+                (finfo.protection & APR_FPROT_GREAD)) ||
1ef406
+            (finfo.protection & APR_FPROT_WREAD)
1ef406
            )
1ef406
         {
1ef406
             return 1;
1ef406
         }
1ef406
-        return 0;
1ef406
     }
1ef406
     return 0;
1ef406
 }
1ef406
@@ -158,6 +157,11 @@ static void nss_init_SSLLibrary(server_rec *base_server, apr_pool_t *p)
1ef406
         }
1ef406
     }
1ef406
 
1ef406
+    if (strncasecmp(mc->pCertificateDatabase, "sql:", 4) == 0)
1ef406
+        dbdir = (char *)mc->pCertificateDatabase + 4;
1ef406
+    else
1ef406
+        dbdir = (char *)mc->pCertificateDatabase;
1ef406
+
1ef406
     /* Assuming everything is ok so far, check the cert database permissions
1ef406
      * for the server user before Apache starts forking. We die now or
1ef406
      * get stuck in an endless loop not able to read the NSS database.
1ef406
@@ -172,6 +176,13 @@ static void nss_init_SSLLibrary(server_rec *base_server, apr_pool_t *p)
1ef406
                 "Checking permissions for user %s: uid %d gid %d",
1ef406
                 mc->user, pw->pw_uid, pw->pw_gid);
1ef406
 
1ef406
+            if (!(check_path(pw->pw_uid, pw->pw_gid, dbdir, p))) {
1ef406
+                ap_log_error(APLOG_MARK, APLOG_ERR, 0, base_server,
1ef406
+                    "Server user %s lacks read access to NSS "
1ef406
+                    "database directory %s.", mc->user, dbdir);
1ef406
+                nss_die();
1ef406
+            }
1ef406
+
1ef406
             if (strncasecmp(mc->pCertificateDatabase, "sql:", 4) == 0) {
1ef406
                 apr_snprintf(filepath, 1024, "%s/key4.db",
1ef406
                              mc->pCertificateDatabase+4);
1ef406
@@ -231,10 +242,6 @@ static void nss_init_SSLLibrary(server_rec *base_server, apr_pool_t *p)
1ef406
             else
1ef406
                 return;
1ef406
     }
1ef406
-    if (strncasecmp(mc->pCertificateDatabase, "sql:", 4) == 0)
1ef406
-        dbdir = (char *)mc->pCertificateDatabase + 4;
1ef406
-    else
1ef406
-        dbdir = (char *)mc->pCertificateDatabase;
1ef406
     if (chdir(dbdir) != 0) {
1ef406
         ap_log_error(APLOG_MARK, APLOG_ERR, 0, base_server,
1ef406
             "Unable to change directory to %s", mc->pCertificateDatabase);
1ef406
-- 
1ef406
2.5.5
1ef406