rse 98/05/08 00:50:22
Modified: src CHANGES . INSTALL Makefile.tmpl README.configure configure Log: Cleanup the suEXEC support in APACI and make it more safe: 1. Add big fat hint in INSTALL about risks and to read the htdocs/manual/suexec.html document before using the suexec-related configure options. 2. Make sure the user has at least provided one --suexec-xxxx option (specifies suEXEC parameters) in addition to --enable-suexec option. If only --enable-suexec is given APACI stops with a hint to INSTALL and htdocs/manual/suexec.html documents. 3. Provide two additional --suexec-xxxx options to make the suEXEC configuration complete (especially for package maintainers who else had to patch the source tree) by providing ways to configure minimal UID/GID and safe PATH, too. Revision Changes Path 1.834 +14 -0 apache-1.3/src/CHANGES Index: CHANGES =================================================================== RCS file: /export/home/cvs/apache-1.3/src/CHANGES,v retrieving revision 1.833 retrieving revision 1.834 diff -u -r1.833 -r1.834 --- CHANGES 1998/05/07 15:24:41 1.833 +++ CHANGES 1998/05/08 07:50:19 1.834 @@ -1,5 +1,19 @@ Changes with Apache 1.3b7 + *) Cleanup the suEXEC support in APACI and make it more safe: + 1. Add big fat hint in INSTALL about risks and to read the + htdocs/manual/suexec.html document before using the suexec-related + configure options. + 2. Make sure the user has at least provided one --suexec-xxxx option + (specifies suEXEC parameters) in addition to --enable-suexec option. + If only --enable-suexec is given APACI stops with a hint to INSTALL + and htdocs/manual/suexec.html documents. + 3. Provide two additional --suexec-xxxx options to make the suEXEC + configuration complete (especially for package maintainers who else + had to patch the source tree) by providing ways to configure minimal + UID/GID and safe PATH, too. + [Ralf S. Engelschall] + *) Cleanup of the `configure --shadow' process: - make sure the configure script creates its temporary files in the shadow tree to avoid conflicts with parallel configure runs 1.26 +25 -5 apache-1.3/INSTALL Index: INSTALL =================================================================== RCS file: /export/home/cvs/apache-1.3/INSTALL,v retrieving revision 1.25 retrieving revision 1.26 diff -u -r1.25 -r1.26 --- INSTALL 1998/05/06 15:44:26 1.25 +++ INSTALL 1998/05/08 07:50:20 1.26 @@ -148,10 +148,13 @@ [--localstatedir=DIR] [--enable-suexec] [--runtimedir=DIR] [--suexec-caller=UID] [--logfiledir=DIR] [--suexec-userdir=DIR] - [--proxycachedir=DIR] - [--compat] [--with-perl=FILE] - [--without-support] + [--proxycachedir=DIR] [--suexec-uidmin=UID] + [--compat] [--suexec-gidmin=GID] + [--suexec-safepath=PATH] + [--with-perl=FILE] + [--without-support] + Use the CC, OPTIM, CFLAGS, INCLUDES, LDFLAGS, LIBS, CFLAGS_SHLIB, LDFLAGS_SHLIB, LDFLAGS_SHLIB_EXPORT and RANLIB environment variables to override the corresponding default entries in the src/Configuration.tmpl @@ -262,9 +265,26 @@ Use the --enable-suexec option to enable the suEXEC feature by building and installing the "suexec" support program. Use --suexec-caller=UID to - set the allowed caller user id and --suexec-userdir=DIR to set the user - subdirectory for this feature. + set the allowed caller user id, the --suexec-userdir=DIR to set the user + subdirectory, the --suexec-uidmin=UID/--suexec-gidmin=GID to set the + minimal allowed UID/GID and --suexec-safepath=PATH to set the safe shell + PATH for the suEXEC feature. At least one --suexec-xxxxx option has + to be provided together with --enable-suexec option to let APACI accept + your request for using the suEXEC feature. + + CAUTION: FOR DETAILS ABOUT THE SUEXEC FEATURE WE HIGHLY RECOMMEND YOU TO + FIRST READ THE DOCUMENT htdocs/manual/suexec.html BEFORE USING + THE ABOVE OPTIONS. + USING THE SUEXEC FEATURE PROPERLY CAN REDUCE CONSIDERABLY THE + SECURITY RISKS INVOLVED WITH ALLOWING USERS TO DEVELOP AND RUN + PRIVATE CGI OR SSI PROGRAMS. HOWEVER, IF SUEXEC IS IMPROPERLY + CONFIGURED, IT CAN CAUSE ANY NUMBER OF PROBLEMS AND POSSIBLY + CREATE NEW HOLES IN YOUR COMPUTER'S SECURITY. IF YOU AREN'T + FAMILIAR WITH MANAGING SETUID ROOT PROGRAMS AND THE SECURITY + ISSUES THEY PRESENT, WE HIGHLY RECOMMEND THAT YOU NOT CONSIDER + USING SUEXEC AND KEEP AWAY FROM THESE OPTIONS! + Use the --shadow option to let APACI create a shadow source tree of the sources for building. This is useful when you want to build for different platforms in parallel (usually through a NFS, AFS or DFS mounted 1.34 +13 -2 apache-1.3/Makefile.tmpl Index: Makefile.tmpl =================================================================== RCS file: /export/home/cvs/apache-1.3/Makefile.tmpl,v retrieving revision 1.33 retrieving revision 1.34 diff -u -r1.33 -r1.34 --- Makefile.tmpl 1998/05/07 15:24:43 1.33 +++ Makefile.tmpl 1998/05/08 07:50:21 1.34 @@ -114,6 +114,9 @@ suexec = @suexec@ suexec_caller = @suexec_caller@ suexec_userdir = @suexec_userdir@ +suexec_uidmin = @suexec_uidmin@ +suexec_gidmin = @suexec_gidmin@ +suexec_safepath = @suexec_safepath@ # usage of src/support stuff build-support = @build_support@ @@ -152,8 +155,16 @@ cd $(TOP)/$(SRC)/support; $(MAKE) $(MFLAGS) all; \ if [ ".$(suexec)" = .1 ]; then \ $(MAKE) $(MFLAGS) \ - EXTRA_CFLAGS='-DHTTPD_USER=\"$(suexec_caller)\" -DUSERDIR_SUFFIX=\"$(suexec_userdir)\"' \ - suexec; \ + EXTRA_CFLAGS='\ + -DHTTPD_USER=\"$(suexec_caller)\" \ + -DUID_MIN=$(suexec_uidmin) \ + -DGID_MIN=$(suexec_gidmin) \ + -DUSERDIR_SUFFIX=\"$(suexec_userdir)\" \ + -DLOG_EXEC=\"$(logfiledir)/suexec_log\" \ + -DDOC_ROOT=\"$(datadir)/htdocs\" \ + -DSAFE_PATH=\"$(suexec_safepath)\" \ + ' \ + suexec; \ fi; \ echo "<=== $(SRC)/support" 1.9 +3 -0 apache-1.3/README.configure Index: README.configure =================================================================== RCS file: /export/home/cvs/apache-1.3/README.configure,v retrieving revision 1.8 retrieving revision 1.9 diff -u -r1.8 -r1.9 --- README.configure 1998/05/06 15:44:25 1.8 +++ README.configure 1998/05/08 07:50:21 1.9 @@ -95,6 +95,9 @@ --enable-suexec \ --suexec-caller=www \ --suexec-userdir=.www + --suexec-uidmin=1000 \ + --suexec-gidmin=1000 \ + --suexec-safepath="/bin:/usr/bin" $ make $ make install 1.24 +38 -0 apache-1.3/configure Index: configure =================================================================== RCS file: /export/home/cvs/apache-1.3/configure,v retrieving revision 1.23 retrieving revision 1.24 diff -u -r1.23 -r1.24 --- configure 1998/05/07 15:24:43 1.23 +++ configure 1998/05/08 07:50:21 1.24 @@ -164,8 +164,12 @@ # suexec defaults suexec=0 +suexec_ok=0 suexec_caller=www suexec_userdir=public_html +suexec_uidmin=100 +suexec_gidmin=100 +suexec_safepath="/usr/local/bin:/usr/bin:/bin" # with support tools support=1 @@ -347,6 +351,9 @@ echo " --enable-suexec enable the suEXEC feature" echo " --suexec-caller=NAME set the suEXEC username of the allowed caller [$suexec_caller]" echo " --suexec-userdir=DIR set the suEXEC user subdirectory [$suexec_userdir]" + echo " --suexec-uidmin=UID set the suEXEC minimal allowed UID [$suexec_uidmin]" + echo " --suexec-gidmin=GID set the suEXEC minimal allowed GID [$suexec_gidmin]" + echo " --suexec-safepath=PATH set the suEXEC safe PATH [$suexec_safepath]" echo "" exit 0 ;; @@ -631,10 +638,24 @@ ;; --suexec-caller=*) suexec_caller="$apc_optarg" + suexec_ok=1 ;; --suexec-userdir=*) suexec_userdir="$apc_optarg" + suexec_ok=1 ;; + --suexec-uidmin=*) + suexec_uidmin="$apc_optarg" + suexec_ok=1 + ;; + --suexec-gidmin=*) + suexec_gidmin="$apc_optarg" + suexec_ok=1 + ;; + --suexec-safepath=*) + suexec_safepath="$apc_optarg" + suexec_ok=1 + ;; * ) echo "configure:Error: invalid option '$apc_option'" 1>&2 exit 1 @@ -648,6 +669,20 @@ fi ## +## a few errors +## +if [ ".$suexec" = .1 ]; then + if [ ".$suexec_ok" = .0 ]; then + echo "configure:Error: You enabled the suEXEC feature via --enable-suexec but" + echo " without explicitly configuring it via at least one" + echo " --suexec-xxxxx option. Seems like you are still not" + echo " familiar with the suEXEC risks. Please read the INSTALL" + echo " and htdocs/manual/suexec.html documents first." + exit 1 + fi +fi + +## ## a few warnings ## if [ ".$PERL" = .no-perl-on-this-system ]; then @@ -780,6 +815,9 @@ -e "[EMAIL PROTECTED]@%$suexec%g" \ -e "[EMAIL PROTECTED]@%$suexec_caller%g" \ -e "[EMAIL PROTECTED]@%$suexec_userdir%g" \ +-e "[EMAIL PROTECTED]@%$suexec_uidmin%g" \ +-e "[EMAIL PROTECTED]@%$suexec_gidmin%g" \ +-e "[EMAIL PROTECTED]@%$suexec_safepath%g" \ -e "[EMAIL PROTECTED]@%$build_support%g" \ -e "[EMAIL PROTECTED]@%$install_support%g" \ -e "[EMAIL PROTECTED]@%$clean_support%g" \