cvs commit: apache-1.3/src/support suexec.c
coar00/01/11 11:48:05 Modified:.STATUS Makefile.tmpl configure src CHANGES src/support suexec.c Log: Allow the builder to specify a default umask for scripts wrapped by suexec. PR: 4178 Reviewed by: Ryan Bloom, Martin Kraemer, Jim Jagielski, Greg Stein Revision ChangesPath 1.787 +1 -6 apache-1.3/STATUS Index: STATUS === RCS file: /home/cvs/apache-1.3/STATUS,v retrieving revision 1.786 retrieving revision 1.787 diff -u -r1.786 -r1.787 --- STATUS2000/01/11 19:25:24 1.786 +++ STATUS2000/01/11 19:47:35 1.787 @@ -1,5 +1,5 @@ 1.3 STATUS: - Last modified at [$Date: 2000/01/11 19:25:24 $] + Last modified at [$Date: 2000/01/11 19:47:35 $] Release: @@ -75,11 +75,6 @@ Available Patches: - -* Ken's patch to allow for umask settings for suExec. Suggested - by PR#4178. -Message-ID: [EMAIL PROTECTED] - Status: Ken +1, Ryan +1, Jim +1, Martin +1 * Andrew Ford's patch (1999/12/05) to add absolute times to mod_expires Message-ID: [EMAIL PROTECTED] 1.95 +3 -1 apache-1.3/Makefile.tmpl Index: Makefile.tmpl === RCS file: /home/cvs/apache-1.3/Makefile.tmpl,v retrieving revision 1.94 retrieving revision 1.95 diff -u -r1.94 -r1.95 --- Makefile.tmpl 1999/12/09 17:19:35 1.94 +++ Makefile.tmpl 2000/01/11 19:47:41 1.95 @@ -135,6 +135,7 @@ suexec_uidmin = @suexec_uidmin@ suexec_gidmin = @suexec_gidmin@ suexec_safepath = @suexec_safepath@ +suexec_umask= @suexec_umask@ # some substituted configuration parameters conf_user= @conf_user@ @@ -200,7 +201,8 @@ -DUSERDIR_SUFFIX=\$(suexec_userdir)\ \ -DLOG_EXEC=\$(suexec_logexec)\ \ -DDOC_ROOT=\$(suexec_docroot)\ \ - -DSAFE_PATH=\$(suexec_safepath)\ ' \ + -DSAFE_PATH=\$(suexec_safepath)\ \ + $(suexec_umask)' \ suexec; \ fi @echo === $(SRC)/support 1.115 +15 -1 apache-1.3/configure Index: configure === RCS file: /home/cvs/apache-1.3/configure,v retrieving revision 1.114 retrieving revision 1.115 diff -u -r1.114 -r1.115 --- configure 1999/12/10 11:03:00 1.114 +++ configure 2000/01/11 19:47:42 1.115 @@ -240,6 +240,8 @@ suexec_uidmin=100 suexec_gidmin=100 suexec_safepath=/usr/local/bin:/usr/bin:/bin +# if the umask is undefined, we don't change it +#suexec_umask=0755 # the installation flags iflags_program=-m 755 -s @@ -449,6 +451,7 @@ echo --suexec-uidmin=UIDset the suEXEC minimal allowed UID [$suexec_uidmin] echo --suexec-gidmin=GIDset the suEXEC minimal allowed GID [$suexec_gidmin] echo --suexec-safepath=PATH set the suEXEC safe PATH [$suexec_safepath] +echo --suexec-umask=UMASK set the umask for the suEXEC'd script [server's umask] echo echo Deprecated options: echo --layout backward compat only: use --show-layout @@ -976,6 +979,11 @@ suexec_safepath=$apc_optarg suexec_ok=1 ;; +--suexec-umask=*) +suexec_umask_val=$apc_optarg +suexec_umask=-DSUEXEC_UMASK=$apc_optarg +suexec_ok=1 +;; --server-uid=*) conf_user=$apc_optarg # protect the '#' against interpretation as comment @@ -1085,7 +1093,7 @@ for var in prefix exec_prefix bindir sbindir libexecdir mandir \ sysconfdir datadir iconsdir htdocsdir cgidir includedir \ localstatedir runtimedir logfiledir proxycachedir \ - suexec_docroot suexec_logexec; do + suexec_docroot suexec_logexec ; do eval val=\\$$var\; val=`echo $val | sed -e 's:\(.\)/*$:\1:'` eval $var=\$val\ @@ -1240,6 +1248,11 @@ echo caller ID: $suexec_caller echo minimum user ID: $suexec_uidmin echo minimum group ID: $suexec_gidmin +if [ x$suexec_umask != x ]; then +echo umask: $suexec_umask_val + else +echo umask: running server's +fi echo fi exit 0 @@ -1290,6 +1303,7 @@ -e [EMAIL PROTECTED]@%$suexec_uidmin%g \ -e [EMAIL PROTECTED]@%$suexec_gidmin%g \ -e [EMAIL PROTECTED]@%$suexec_safepath%g \ +-e [EMAIL PROTECTED]@%$suexec_umask%g \ -e [EMAIL PROTECTED]@%$conf_user%g \ -e [EMAIL
cvs commit: apache-1.3/src/support suexec.c
martin 99/02/21 12:36:45
Modified:src/support suexec.c
Log:
Use ap_execve() on platforms where exec() doesn support #!
Revision ChangesPath
1.50 +9 -0 apache-1.3/src/support/suexec.c
Index: suexec.c
===
RCS file: /export/home/cvs/apache-1.3/src/support/suexec.c,v
retrieving revision 1.49
retrieving revision 1.50
diff -u -r1.49 -r1.50
--- suexec.c 1999/02/16 13:41:00 1.49
+++ suexec.c 1999/02/21 20:36:44 1.50
@@ -541,7 +541,16 @@
/*
* Execute the command, replacing our image with its own.
*/
+#ifdef NEED_HASHBANG_EMUL
+/* We need the #! emulation when we want to execute scripts */
+{
+ extern char **environ;
+
+ ap_execve(cmd, argv[3], environ);
+}
+#else /*NEED_HASHBANG_EMUL*/
execv(cmd, argv[3]);
+#endif /*NEED_HASHBANG_EMUL*/
/*
* (I can't help myself...sorry.)
cvs commit: apache-1.3/src/support suexec.c
martin 99/02/16 05:41:01
Modified:src/support suexec.c
Log:
Initialize Job Environment on BS2000
(not relevant for any other platform)
Revision ChangesPath
1.49 +27 -0 apache-1.3/src/support/suexec.c
Index: suexec.c
===
RCS file: /export/home/cvs/apache-1.3/src/support/suexec.c,v
retrieving revision 1.48
retrieving revision 1.49
diff -u -r1.48 -r1.49
--- suexec.c 1999/01/01 19:05:35 1.48
+++ suexec.c 1999/02/16 13:41:00 1.49
@@ -341,6 +341,33 @@
actual_gname = strdup(target_gname);
}
+#ifdef _OSD_POSIX
+/*
+ * Initialize BS2000 user environment
+ */
+{
+ pid_t pid;
+ int status;
+
+ switch (pid = ufork(target_uname))
+ {
+ case -1:/* Error */
+ log_err(failed to setup bs2000 environment for user %s: %s\n,
+ target_uname, strerror(errno));
+ exit(150);
+ case 0: /* Child */
+ break;
+ default:/* Father */
+ while (pid != waitpid(pid, status, 0))
+ ;
+ /* @@@ FIXME: should we deal with STOP signals as well? */
+ if (WIFSIGNALED(status))
+ kill (getpid(), WTERMSIG(status));
+ exit(WEXITSTATUS(status));
+ }
+}
+#endif /*_OSD_POSIX*/
+
/*
* Save these for later since initgroups will hose the struct
*/
cvs commit: apache-1.3/src/support suexec.c
coar98/12/17 06:58:57
Modified:src CHANGES
src/support suexec.c
Log:
fclose(NULL) isn't always a good idea.
Submitted by: Rick Franchuk [EMAIL PROTECTED]
Reviewed by: Ken Coar
Revision ChangesPath
1.1172+3 -0 apache-1.3/src/CHANGES
Index: CHANGES
===
RCS file: /home/cvs/apache-1.3/src/CHANGES,v
retrieving revision 1.1171
retrieving revision 1.1172
diff -u -r1.1171 -r1.1172
--- CHANGES 1998/12/16 15:57:26 1.1171
+++ CHANGES 1998/12/17 14:58:55 1.1172
@@ -1,5 +1,8 @@
Changes with Apache 1.3.4
+ *) Fixed problem of fclose() on an unopened file in suexec if LOG_EXEC
+ wasn't defined. [Rick Franchuk [EMAIL PROTECTED]]
+
*) Removed recently introduced bugs and disfigurements in APACI:
o fixed argument line processing: using $args was broken: It was not
initialized and using args=$args $apc_option and even args=$args
1.47 +11 -5 apache-1.3/src/support/suexec.c
Index: suexec.c
===
RCS file: /home/cvs/apache-1.3/src/support/suexec.c,v
retrieving revision 1.46
retrieving revision 1.47
diff -u -r1.46 -r1.47
--- suexec.c 1998/09/16 20:51:08 1.46
+++ suexec.c 1998/12/17 14:58:57 1.47
@@ -109,7 +109,7 @@
#define AP_ENVBUF 256
extern char **environ;
-static FILE *log;
+static FILE *log = NULL;
char *safe_env_lst[] =
{
@@ -500,10 +500,16 @@
/*
* Be sure to close the log file so the CGI can't
* mess with it. If the exec fails, it will be reopened
- * automatically when log_err is called.
- */
-fclose(log);
-log = NULL;
+ * automatically when log_err is called. Note that the log
+ * might not actually be open if LOG_EXEC isn't defined.
+ * However, the log cell isn't ifdef'd so let's be defensive
+ * and assume someone might have done something with it
+ * outside an ifdef'd LOG_EXEC block.
+ */
+if (log != NULL) {
+ fclose(log);
+ log = NULL;
+}
/*
* Execute the command, replacing our image with its own.
cvs commit: apache-1.3/src/support suexec.c
manoj 98/09/16 13:51:09
Modified:src/support suexec.c
Log:
Fix a missing semicolon
Revision ChangesPath
1.46 +1 -1 apache-1.3/src/support/suexec.c
Index: suexec.c
===
RCS file: /export/home/cvs/apache-1.3/src/support/suexec.c,v
retrieving revision 1.45
retrieving revision 1.46
diff -u -r1.45 -r1.46
--- suexec.c 1998/09/10 09:23:59 1.45
+++ suexec.c 1998/09/16 20:51:08 1.46
@@ -211,7 +211,7 @@
sprintf(pathbuf, PATH=%s, SAFE_PATH);
cleanenv[cidx] = strdup(pathbuf);
-cidx++
+cidx++;
for (ep = environ; *ep cidx AP_ENVBUF-1; ep++) {
if (!strncmp(*ep, HTTP_, 5)) {
cvs commit: apache-1.3/src/support suexec.c
rse 98/09/10 02:23:59
Modified:src CHANGES
src/support suexec.c
Log:
Fix possible buffer overflow situation in suexec.c.
PS: The PR#2790 provides a few more fixes for problematic
things in suexec.c. Because we have to be very carefully here, other
should review them, too. That's why I commit only some of the fixes from
this patch.
The other problem we _really_ have to fix is the docroot-check at line
428. But here the patch from the PR submitter seems to introduce a new
problem: It accesses cwd[dlen] which can be out of memory bounds. Here
memory bounds have to checked first.
So, I would appreciate when someothers look at PR#2790, please. At least
the docroot-check _has_ to be fixed by us! But correctly, i.e. without
introducing new problems, of course ;_)
Submitted by: Jeff Stewart [EMAIL PROTECTED]
Reviewed by: Ralf S. Engelschall
PR: 2790
Revision ChangesPath
1.1054+3 -0 apache-1.3/src/CHANGES
Index: CHANGES
===
RCS file: /export/home/cvs/apache-1.3/src/CHANGES,v
retrieving revision 1.1053
retrieving revision 1.1054
diff -u -r1.1053 -r1.1054
--- CHANGES 1998/09/10 08:58:40 1.1053
+++ CHANGES 1998/09/10 09:23:57 1.1054
@@ -1,5 +1,8 @@
Changes with Apache 1.3.2
+ *) Fix possible buffer overflow situation in suexec.c.
+ [Jeff Stewart [EMAIL PROTECTED]] PR#2790
+
*) Add some more LIBS for the SCO5 platform which are needed for the
already
used -lprot. It's actually a bug in SCO5, of course.
[Ronald Record [EMAIL PROTECTED]] PR#2533
1.45 +6 -4 apache-1.3/src/support/suexec.c
Index: suexec.c
===
RCS file: /export/home/cvs/apache-1.3/src/support/suexec.c,v
retrieving revision 1.44
retrieving revision 1.45
diff -u -r1.44 -r1.45
--- suexec.c 1998/07/13 11:32:59 1.44
+++ suexec.c 1998/09/10 09:23:59 1.45
@@ -209,7 +209,11 @@
exit(120);
}
-for (ep = environ; *ep cidx AP_ENVBUF; ep++) {
+sprintf(pathbuf, PATH=%s, SAFE_PATH);
+cleanenv[cidx] = strdup(pathbuf);
+cidx++
+
+for (ep = environ; *ep cidx AP_ENVBUF-1; ep++) {
if (!strncmp(*ep, HTTP_, 5)) {
cleanenv[cidx] = *ep;
cidx++;
@@ -226,9 +230,7 @@
}
}
-sprintf(pathbuf, PATH=%s, SAFE_PATH);
-cleanenv[cidx] = strdup(pathbuf);
-cleanenv[++cidx] = NULL;
+cleanenv[cidx] = NULL;
environ = cleanenv;
}
cvs commit: apache-1.3/src/support suexec.c
coar98/07/07 16:19:24
Modified:src CHANGES
src/support suexec.c
Log:
Put back the bits that aren't controversial. :-)
Revision ChangesPath
1.950 +2 -0 apache-1.3/src/CHANGES
Index: CHANGES
===
RCS file: /export/home/cvs/apache-1.3/src/CHANGES,v
retrieving revision 1.949
retrieving revision 1.950
diff -u -r1.949 -r1.950
--- CHANGES 1998/07/07 17:23:19 1.949
+++ CHANGES 1998/07/07 23:19:22 1.950
@@ -1,5 +1,7 @@
Changes with Apache 1.3.1
+ *) suexec's error messages have been clarified a little bit. [Ken Coar]
+
*) PORT: Apache is not 8-bit clean in many settings, a problem we're
aware of and intend to fix properly. But a temporary workaround
which should work for many folks is to tell the C compiler to use
1.43 +4 -4 apache-1.3/src/support/suexec.c
Index: suexec.c
===
RCS file: /export/home/cvs/apache-1.3/src/support/suexec.c,v
retrieving revision 1.42
retrieving revision 1.43
diff -u -r1.42 -r1.43
--- suexec.c 1998/07/07 17:04:19 1.42
+++ suexec.c 1998/07/07 23:19:24 1.43
@@ -205,7 +205,7 @@
if ((cleanenv = (char **) calloc(AP_ENVBUF, sizeof(char *))) == NULL) {
- log_err(failed to malloc env mem\n);
+log_err(failed to malloc memory for environment\n);
exit(120);
}
@@ -283,12 +283,12 @@
#ifdef _OSD_POSIX
/* User name comparisons are case insensitive on BS2000/OSD */
if (strcasecmp(HTTPD_USER, pw-pw_name)) {
- log_err(user mismatch (%s)\n, pw-pw_name);
+log_err(user mismatch (%s instead of %s)\n, pw-pw_name,
HTTPD_USER);
exit(103);
}
#else /*_OSD_POSIX*/
if (strcmp(HTTPD_USER, pw-pw_name)) {
- log_err(user mismatch (%s)\n, pw-pw_name);
+log_err(user mismatch (%s instead of %s)\n, pw-pw_name,
HTTPD_USER);
exit(103);
}
#endif /*_OSD_POSIX*/
@@ -350,7 +350,7 @@
* Log the transaction here to be sure we have an open log
* before we setuid().
*/
-log_err(uid: (%s/%s) gid: (%s/%s) %s\n,
+log_err(uid: (%s/%s) gid: (%s/%s) cmd: %s\n,
target_uname, actual_uname,
target_gname, actual_gname,
cmd);
Re: cvs commit: apache-1.3/src/support suexec.c
Yes, there was a PR on this, #2250. It has been closed, but the message was excessively cryptic and didn't help, so I was making it a little more meaningful. I was going to address Marc's concerns to-night. Please restore 1.40, and stop reverting other people's work without checking with them first - particularly when, as you indicated in your commit message, you're not familiar with the issues. #kenP-|}
cvs commit: apache-1.3/src/support suexec.c
coar98/07/01 03:34:21
Modified:src/support suexec.c
Log:
Redo the 'too few arguments' error reporting in a way that doesn't
do excessive unsafe string copying (which Marc pointed out was a
flaw in the last edit).
Revision ChangesPath
1.41 +27 -1 apache-1.3/src/support/suexec.c
Index: suexec.c
===
RCS file: /export/home/cvs/apache-1.3/src/support/suexec.c,v
retrieving revision 1.40
retrieving revision 1.41
diff -u -r1.40 -r1.41
--- suexec.c 1998/06/20 11:07:38 1.40
+++ suexec.c 1998/07/01 10:34:20 1.41
@@ -261,10 +261,36 @@
if (argc 4) {
char msgbuf[2048];
int i;
+ int clen;
+ static char *omsg = {buffer overflow};
+ int olen = strlen(omsg);
ap_snprintf(msgbuf, sizeof(msgbuf), too few (%d) arguments:, argc);
+ clen = strlen(msgbuf);
for (i = 0; i argc; i++) {
- ap_snprintf(msgbuf, sizeof(msgbuf), %s [%s], msgbuf, argv[i]);
+ int alen = strlen(argv[i]) + 4;
+ int rlen = sizeof(msgbuf) - clen - 1;
+ int oflow = (alen rlen);
+
+ alen = oflow ? rlen : alen;
+ if (rlen 1) {
+ msgbuf[clen++] = ' ';
+ alen--;
+ }
+ if (rlen 2) {
+ msgbuf[clen++] = '[';
+ alen--;
+ }
+ ap_cpystrn(msgbuf[clen], argv[i], alen);
+ if (oflow) {
+ ap_cpystrn(msgbuf[sizeof(msgbuf) - olen - 1], omsg, olen + 1);
+ break;
+ }
+ else {
+ clen += alen - 2;
+ msgbuf[clen++] = ']';
+ msgbuf[clen] = '\0';
+ }
}
log_err(%s\n, msgbuf);
exit(101);
cvs commit: apache-1.3/src/support suexec.c
coar98/06/18 12:06:57
Modified:src/support suexec.c
Log:
A wee bit of cleanup (cosmetic only).
Revision ChangesPath
1.39 +8 -7 apache-1.3/src/support/suexec.c
Index: suexec.c
===
RCS file: /export/home/cvs/apache-1.3/src/support/suexec.c,v
retrieving revision 1.38
retrieving revision 1.39
diff -u -r1.38 -r1.39
--- suexec.c 1998/04/21 20:14:06 1.38
+++ suexec.c 1998/06/18 19:06:56 1.39
@@ -161,12 +161,13 @@
time_t timevar;
struct tm *lt;
-if (!log)
+if (!log) {
if ((log = fopen(LOG_EXEC, a)) == NULL) {
fprintf(stderr, failed to open log file\n);
perror(fopen);
exit(1);
}
+}
time(timevar);
lt = localtime(timevar);
@@ -215,7 +216,8 @@
}
else {
for (idx = 0; safe_env_lst[idx]; idx++) {
- if (!strncmp(*ep, safe_env_lst[idx],
strlen(safe_env_lst[idx]))) {
+ if (!strncmp(*ep, safe_env_lst[idx],
+ strlen(safe_env_lst[idx]))) {
cleanenv[cidx] = *ep;
cidx++;
break;
@@ -239,8 +241,8 @@
char *target_uname; /* target user name */
char *target_gname; /* target group name */
char *target_homedir;/* target home directory */
-char *actual_uname; /* actual user name*/
-char *actual_gname; /* actual group name */
+char *actual_uname; /* actual user name */
+char *actual_gname; /* actual group name */
char *prog; /* name of this program */
char *cmd; /* command to be executed*/
char cwd[AP_MAXPATH];/* current working directory */
@@ -250,8 +252,6 @@
struct stat dir_info;/* directory info holder */
struct stat prg_info;/* program info holder */
-
-
/*
* If there are a proper number of arguments, set
* all of them to variables. Otherwise, error out.
@@ -476,7 +476,8 @@
(gid != dir_info.st_gid) ||
(uid != prg_info.st_uid) ||
(gid != prg_info.st_gid)) {
- log_err(target uid/gid (%ld/%ld) mismatch with directory (%ld/%ld) or
program (%ld/%ld)\n,
+ log_err(target uid/gid (%ld/%ld) mismatch
+ with directory (%ld/%ld) or program (%ld/%ld)\n,
uid, gid,
dir_info.st_uid, dir_info.st_gid,
prg_info.st_uid, prg_info.st_gid);
cvs commit: apache-1.3/src/support suexec.c
martin 98/03/20 03:33:02
Modified:src/support suexec.c
Log:
Add the same conditions for initgroups() existance as we use in apache's
conf.h;
Add case insensitivity for BS2000's user name comparison (yes, that's how it
is);
Add an error message if the executable isn't executable.
Revision ChangesPath
1.36 +18 -1 apache-1.3/src/support/suexec.c
Index: suexec.c
===
RCS file: /home/cvs/apache-1.3/src/support/suexec.c,v
retrieving revision 1.35
retrieving revision 1.36
diff -u -u -r1.35 -r1.36
--- suexec.c 1998/03/19 09:56:43 1.35
+++ suexec.c 1998/03/20 11:33:00 1.36
@@ -94,7 +94,7 @@
***
*/
-#if defined(QNX)
+#if defined(QNX) || defined(_OSD_POSIX) || defined(MPE) || defined(SCO) ||
defined(BEOS)
int initgroups(const char *name, gid_t basegid)
{
/* QNX and MPE do not appear to support supplementary groups. */
@@ -284,10 +284,18 @@
* is the user allowed to do so as defined in
* suexec.h. If not the allowed user, error out.
*/
+#ifdef _OSD_POSIX
+/* User name comparisons are case insensitive on BS2000/OSD */
+if (strcasecmp(HTTPD_USER, pw-pw_name)) {
+ log_err(user mismatch (%s)\n, pw-pw_name);
+ exit(103);
+}
+#else /*_OSD_POSIX*/
if (strcmp(HTTPD_USER, pw-pw_name)) {
log_err(user mismatch (%s)\n, pw-pw_name);
exit(103);
}
+#endif /*_OSD_POSIX*/
/*
* Check for a leading '/' (absolute path) in the command to be executed,
@@ -477,6 +485,15 @@
dir_info.st_uid, dir_info.st_gid,
prg_info.st_uid, prg_info.st_gid);
exit(120);
+}
+/*
+ * Error out if the program is not executable for the user.
+ * Otherwise, she won't find any error in the logs except for
+ * [error] Premature end of script headers: ...
+ */
+if (!(prg_info.st_mode S_IXUSR)) {
+ log_err(file has no execute permission: (%s/%s)\n, cwd, cmd);
+ exit(121);
}
clean_env();
