dgaudet 97/10/07 13:05:07
Modified: src CHANGES
src/main httpd.h util.c util_script.c
src/modules/standard mod_cgi.c
Log:
Back out PR#918, it doesn't seem to do what it was supposed to do -- could
be my fault because I had to update it to the newer logging/formatting.
But nobody has had a chance to fix it yet.
Revision Changes Path
1.462 +0 -3 apachen/src/CHANGES
Index: CHANGES
===================================================================
RCS file: /export/home/cvs/apachen/src/CHANGES,v
retrieving revision 1.461
retrieving revision 1.462
diff -u -r1.461 -r1.462
--- CHANGES 1997/10/07 19:53:19 1.461
+++ CHANGES 1997/10/07 20:04:58 1.462
@@ -38,9 +38,6 @@
Also removed the auto-generated link to www.apache.org that was the
source of so many misdirected bug reports. [Roy Fielding, Marc Slemko]
- *) Change to CGI permission test to allow User/Group tests to do the
- right thing for suexec. [Randy Terbush] PR#918
-
*) send_fb would not detect aborted connections in some situations.
[Dean Gaudet]
1.153 +1 -1 apachen/src/main/httpd.h
Index: httpd.h
===================================================================
RCS file: /export/home/cvs/apachen/src/main/httpd.h,v
retrieving revision 1.152
retrieving revision 1.153
diff -u -r1.152 -r1.153
--- httpd.h 1997/10/07 19:34:05 1.152
+++ httpd.h 1997/10/07 20:05:02 1.153
@@ -811,7 +811,7 @@
API_EXPORT(uid_t) uname2id(const char *name);
API_EXPORT(gid_t) gname2id(const char *name);
API_EXPORT(int) is_directory(const char *name);
-API_EXPORT(int) can_exec(const struct stat *, uid_t, gid_t);
+API_EXPORT(int) can_exec(const struct stat *);
API_EXPORT(void) chdir_file(const char *file);
#ifndef HAVE_CANONICAL_FILENAME
1.71 +3 -3 apachen/src/main/util.c
Index: util.c
===================================================================
RCS file: /export/home/cvs/apachen/src/main/util.c,v
retrieving revision 1.70
retrieving revision 1.71
diff -u -r1.70 -r1.71
--- util.c 1997/09/26 03:52:11 1.70
+++ util.c 1997/10/07 20:05:03 1.71
@@ -1070,7 +1070,7 @@
return (x ? 1 : 0); /* If the first character is ':', it's
broken, too */
}
-API_EXPORT(int) can_exec(const struct stat *finfo, uid_t uid, gid_t gid)
+API_EXPORT(int) can_exec(const struct stat *finfo)
{
#ifdef MULTIPLE_GROUPS
int cnt;
@@ -1079,10 +1079,10 @@
/* OS/2 dosen't have Users and Groups */
return 1;
#else
- if (uid == finfo->st_uid)
+ if (user_id == finfo->st_uid)
if (finfo->st_mode & S_IXUSR)
return 1;
- if (gid == finfo->st_gid)
+ if (group_id == finfo->st_gid)
if (finfo->st_mode & S_IXGRP)
return 1;
#ifdef MULTIPLE_GROUPS
1.77 +0 -14 apachen/src/main/util_script.c
Index: util_script.c
===================================================================
RCS file: /export/home/cvs/apachen/src/main/util_script.c,v
retrieving revision 1.76
retrieving revision 1.77
diff -u -r1.76 -r1.77
--- util_script.c 1997/10/07 05:27:11 1.76
+++ util_script.c 1997/10/07 20:05:03 1.77
@@ -817,13 +817,6 @@
grpname = gr->gr_name;
}
- if (!can_exec(&r->finfo, pw->pw_uid, gr->gr_gid)) {
- aplog_error(APLOG_MARK, APLOG_ERR, r->server,
- "file permissions deny server execution: %s",
- r->filename);
- return -1;
- }
-
if (shellcmd)
execle(SUEXEC_BIN, SUEXEC_BIN, execuser, grpname, argv0, NULL, env);
@@ -838,13 +831,6 @@
}
}
else {
- if (!can_exec(&r->finfo, user_id, group_id)) {
- aplog_error(APLOG_MARK, APLOG_ERR, r->server,
- "file permissions deny server execution: %s",
- r->filename);
- return -1;
- }
-
if (shellcmd)
execle(SHELL_PATH, SHELL_PATH, "-c", argv0, NULL, env);
1.60 +5 -0 apachen/src/modules/standard/mod_cgi.c
Index: mod_cgi.c
===================================================================
RCS file: /export/home/cvs/apachen/src/modules/standard/mod_cgi.c,v
retrieving revision 1.59
retrieving revision 1.60
diff -u -r1.59 -r1.60
--- mod_cgi.c 1997/10/07 05:27:24 1.59
+++ mod_cgi.c 1997/10/07 20:05:06 1.60
@@ -393,6 +393,11 @@
return log_scripterror(r, conf, NOT_FOUND, APLOG_NOERRNO,
"script not found or unable to stat");
#endif
+ if (!suexec_enabled) {
+ if (!can_exec(&r->finfo))
+ return log_scripterror(r, conf, FORBIDDEN, APLOG_NOERRNO,
+ "file permissions deny server execution");
+ }
if ((retval = setup_client_block(r, REQUEST_CHUNKED_ERROR)))
return retval;
