Hello community, here is the log from the commit of package apache2-mod_nss for openSUSE:Factory checked in at 2017-12-14 10:59:24 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/apache2-mod_nss (Old) and /work/SRC/openSUSE:Factory/.apache2-mod_nss.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "apache2-mod_nss" Thu Dec 14 10:59:24 2017 rev:26 rq:556377 version:1.0.14 Changes: -------- --- /work/SRC/openSUSE:Factory/apache2-mod_nss/apache2-mod_nss.changes 2017-12-11 18:57:23.971999448 +0100 +++ /work/SRC/openSUSE:Factory/.apache2-mod_nss.new/apache2-mod_nss.changes 2017-12-14 10:59:47.952906675 +0100 @@ -1,0 +2,6 @@ +Mon Dec 11 20:41:26 UTC 2017 - [email protected] + +- Fix NSS database startup permission check (bsc#1057776) + * add 0001-Handle-group-membership-when-testing-for-file-permis.patch + +------------------------------------------------------------------- New: ---- 0001-Handle-group-membership-when-testing-for-file-permis.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ apache2-mod_nss.spec ++++++ --- /var/tmp/diff_new_pack.CoNwit/_old 2017-12-14 10:59:49.552829439 +0100 +++ /var/tmp/diff_new_pack.CoNwit/_new 2017-12-14 10:59:49.556829246 +0100 @@ -38,6 +38,7 @@ Source5: vhost-nss.template Patch1: mod_nss-migrate.patch Patch2: mod_nss-gencert-correct-ownership.patch +Patch3: 0001-Handle-group-membership-when-testing-for-file-permis.patch Patch4: mod_nss-gencert_use_ss_instead_of_netstat.patch BuildRequires: apache-rpm-macros BuildRequires: apache2-devel >= 2.2.12 @@ -76,6 +77,7 @@ %setup -q -n mod_nss-%{version} %patch1 -p1 %patch2 -p1 +%patch3 -p1 %patch4 -p1 # Touch expression parser sources to prevent regenerating it ++++++ 0001-Handle-group-membership-when-testing-for-file-permis.patch ++++++ >From 665a696088324176b7902d6338171078e6d37318 Mon Sep 17 00:00:00 2001 From: Rob Crittenden <[email protected]> Date: Thu, 23 Feb 2017 13:06:21 -0500 Subject: [PATCH] Handle group membership when testing for file permissions This was a bit of a corner case but group membership wasn't considered when trying to determine if the NSS databases are readable. Resolves BZ 1395300 --- nss_engine_init.c | 45 +++++++++++++++++++++++++++++++++------------ 1 file changed, 33 insertions(+), 12 deletions(-) Index: mod_nss-1.0.14/nss_engine_init.c =================================================================== --- mod_nss-1.0.14.orig/nss_engine_init.c 2017-12-11 21:44:07.051660014 +0100 +++ mod_nss-1.0.14/nss_engine_init.c 2017-12-11 21:47:22.698850519 +0100 @@ -29,6 +29,7 @@ #include "cert.h" #include <sys/types.h> #include <pwd.h> +#include <grp.h> static SECStatus ownBadCertHandler(void *arg, PRFileDesc * socket); static SECStatus ownHandshakeCallback(PRFileDesc * socket, void *arg); @@ -57,22 +58,38 @@ static char *version_components[] = { * Return 0 on failure or file doesn't exist * Return 1 on success */ -static int check_path(uid_t uid, gid_t gid, char *filepath, apr_pool_t *p) +static int check_path(const char *user, uid_t uid, gid_t gid, char *filepath, + apr_pool_t *p) { apr_finfo_t finfo; - int rv; + PRBool in_group = PR_FALSE; + struct group *gr; + int i = 0; + + if ((apr_stat(&finfo, filepath, APR_FINFO_PROT | APR_FINFO_OWNER, p)) + == APR_SUCCESS) { + if ((gr = getgrgid(finfo.group)) == NULL) { + return 0; + } - if ((rv = apr_stat(&finfo, filepath, APR_FINFO_PROT | APR_FINFO_OWNER, - p)) == APR_SUCCESS) { + if (gid == finfo.group) { + in_group = PR_TRUE; + } else { + while ((gr->gr_mem != NULL) && (gr->gr_mem[i] != NULL)) { + if (!strcasecmp(user, gr->gr_mem[i++])) { + in_group = PR_TRUE; + break; + } + } + } if (((uid == finfo.user) && ((finfo.protection & APR_FPROT_UREAD))) || - ((gid == finfo.group) && - ((finfo.protection & APR_FPROT_GREAD))) + (in_group && (finfo.protection & APR_FPROT_GREAD)) || + (finfo.protection & APR_FPROT_WREAD) ) { return 1; } - return 0; } return 0; } @@ -175,7 +192,8 @@ static void nss_init_SSLLibrary(server_r if (strncasecmp(mc->pCertificateDatabase, "sql:", 4) == 0) { apr_snprintf(filepath, 1024, "%s/key4.db", mc->pCertificateDatabase+4); - if (!(check_path(pw->pw_uid, pw->pw_gid, filepath, p))) { + if (!(check_path(mc->user, pw->pw_uid, pw->pw_gid, filepath, + p))) { ap_log_error(APLOG_MARK, APLOG_ERR, 0, base_server, "Server user %s lacks read access to NSS key " "database %s.", mc->user, filepath); @@ -183,7 +201,8 @@ static void nss_init_SSLLibrary(server_r } apr_snprintf(filepath, 1024, "%s/cert9.db", mc->pCertificateDatabase+4); - if (!(check_path(pw->pw_uid, pw->pw_gid, filepath, p))) { + if (!(check_path(mc->user, pw->pw_uid, pw->pw_gid, filepath, + p))) { ap_log_error(APLOG_MARK, APLOG_ERR, 0, base_server, "Server user %s lacks read access to NSS cert " "database %s.", mc->user, filepath); @@ -192,7 +211,8 @@ static void nss_init_SSLLibrary(server_r } else { apr_snprintf(filepath, 1024, "%s/key3.db", mc->pCertificateDatabase); - if (!(check_path(pw->pw_uid, pw->pw_gid, filepath, p))) { + if (!(check_path(mc->user, pw->pw_uid, pw->pw_gid, filepath, + p))) { ap_log_error(APLOG_MARK, APLOG_ERR, 0, base_server, "Server user %s lacks read access to NSS key " "database %s.", mc->user, filepath); @@ -200,7 +220,8 @@ static void nss_init_SSLLibrary(server_r } apr_snprintf(filepath, 1024, "%s/cert8.db", mc->pCertificateDatabase); - if (!(check_path(pw->pw_uid, pw->pw_gid, filepath, p))) { + if (!(check_path(mc->user, pw->pw_uid, pw->pw_gid, filepath, + p))) { ap_log_error(APLOG_MARK, APLOG_ERR, 0, base_server, "Server user %s lacks read access to NSS cert " "database %s.", mc->user, filepath); @@ -208,7 +229,7 @@ static void nss_init_SSLLibrary(server_r } apr_snprintf(filepath, 1024, "%s/secmod.db", mc->pCertificateDatabase); - if (!(check_path(pw->pw_uid, pw->pw_gid, filepath, p))) { + if (!(check_path(mc->user, pw->pw_uid, pw->pw_gid, filepath, p))) { ap_log_error(APLOG_MARK, APLOG_ERR, 0, base_server, "Server user %s lacks read access to NSS secmod " "database %s.", mc->user, filepath);
