From 7c08aa9b0aa10f4d13e7317c9a7353399188dba4 Mon Sep 17 00:00:00 2001

From: Rob Crittenden <rcritten@redhat.com>

Date: Wed, 21 Sep 2016 13:45:25 -0400

Subject: [PATCH] Enhance checking on NSS database permissions to include

 directory

Previously I was checking the NSS database files for readability

but not the database directory itself. Since it starts as root if

the directory permissions didn't allow read by the Apache user but

the files themselves did then startup would continue but blow

up due to the inability to chdir into the directory.

BZ #1312583

---

 nss_engine_init.c | 25 ++++++++++++++++---------

 1 file changed, 16 insertions(+), 9 deletions(-)

diff --git a/nss_engine_init.c b/nss_engine_init.c

index cd71989..03ac644 100644

--- a/nss_engine_init.c

+++ b/nss_engine_init.c

@@ -51,8 +51,7 @@ static char *version_components[] = {

     NULL

 };

-/* See if a uid or gid can read a file at a given path. Ignore world

- * read permissions.

+/* See if a uid or gid can read a file at a given path.

  *

  * Return 0 on failure or file doesn't exist

  * Return 1 on success

@@ -65,14 +64,14 @@ static int check_path(uid_t uid, gid_t gid, char *filepath, apr_pool_t *p)

     if ((rv = apr_stat(&finfo, filepath, APR_FINFO_PROT | APR_FINFO_OWNER,

          p)) == APR_SUCCESS) {

         if (((uid == finfo.user) &&

-            ((finfo.protection & APR_FPROT_UREAD))) ||

+            (finfo.protection & APR_FPROT_UREAD)) ||

             ((gid == finfo.group) &&

-                ((finfo.protection & APR_FPROT_GREAD)))

+                (finfo.protection & APR_FPROT_GREAD)) ||

+            (finfo.protection & APR_FPROT_WREAD)

            )

         {

             return 1;

         }

-        return 0;

     }

     return 0;

 }

@@ -158,6 +157,11 @@ static void nss_init_SSLLibrary(server_rec *base_server, apr_pool_t *p)

         }

     }

+    if (strncasecmp(mc->pCertificateDatabase, "sql:", 4) == 0)

+        dbdir = (char *)mc->pCertificateDatabase + 4;

+    else

+        dbdir = (char *)mc->pCertificateDatabase;

+

     /* Assuming everything is ok so far, check the cert database permissions

      * for the server user before Apache starts forking. We die now or

      * get stuck in an endless loop not able to read the NSS database.

@@ -172,6 +176,13 @@ static void nss_init_SSLLibrary(server_rec *base_server, apr_pool_t *p)

                 "Checking permissions for user %s: uid %d gid %d",

                 mc->user, pw->pw_uid, pw->pw_gid);

+            if (!(check_path(pw->pw_uid, pw->pw_gid, dbdir, p))) {

+                ap_log_error(APLOG_MARK, APLOG_ERR, 0, base_server,

+                    "Server user %s lacks read access to NSS "

+                    "database directory %s.", mc->user, dbdir);

+                nss_die();

+            }

+

             if (strncasecmp(mc->pCertificateDatabase, "sql:", 4) == 0) {

                 apr_snprintf(filepath, 1024, "%s/key4.db",

                              mc->pCertificateDatabase+4);

@@ -231,10 +242,6 @@ static void nss_init_SSLLibrary(server_rec *base_server, apr_pool_t *p)

             else

                 return;

     }

-    if (strncasecmp(mc->pCertificateDatabase, "sql:", 4) == 0)

-        dbdir = (char *)mc->pCertificateDatabase + 4;

-    else

-        dbdir = (char *)mc->pCertificateDatabase;

     if (chdir(dbdir) != 0) {

         ap_log_error(APLOG_MARK, APLOG_ERR, 0, base_server,

             "Unable to change directory to %s", mc->pCertificateDatabase);

-- 

2.5.5