cvs commit: apache-1.3/src/support suexec.c
coar00/01/11 11:48:05 Modified:.STATUS Makefile.tmpl configure src CHANGES src/support suexec.c Log: Allow the builder to specify a default umask for scripts wrapped by suexec. PR: 4178 Reviewed by: Ryan Bloom, Martin Kraemer, Jim Jagielski, Greg Stein Revision ChangesPath 1.787 +1 -6 apache-1.3/STATUS Index: STATUS === RCS file: /home/cvs/apache-1.3/STATUS,v retrieving revision 1.786 retrieving revision 1.787 diff -u -r1.786 -r1.787 --- STATUS2000/01/11 19:25:24 1.786 +++ STATUS2000/01/11 19:47:35 1.787 @@ -1,5 +1,5 @@ 1.3 STATUS: - Last modified at [$Date: 2000/01/11 19:25:24 $] + Last modified at [$Date: 2000/01/11 19:47:35 $] Release: @@ -75,11 +75,6 @@ Available Patches: - -* Ken's patch to allow for umask settings for suExec. Suggested - by PR#4178. -Message-ID: [EMAIL PROTECTED] - Status: Ken +1, Ryan +1, Jim +1, Martin +1 * Andrew Ford's patch (1999/12/05) to add absolute times to mod_expires Message-ID: [EMAIL PROTECTED] 1.95 +3 -1 apache-1.3/Makefile.tmpl Index: Makefile.tmpl === RCS file: /home/cvs/apache-1.3/Makefile.tmpl,v retrieving revision 1.94 retrieving revision 1.95 diff -u -r1.94 -r1.95 --- Makefile.tmpl 1999/12/09 17:19:35 1.94 +++ Makefile.tmpl 2000/01/11 19:47:41 1.95 @@ -135,6 +135,7 @@ suexec_uidmin = @suexec_uidmin@ suexec_gidmin = @suexec_gidmin@ suexec_safepath = @suexec_safepath@ +suexec_umask= @suexec_umask@ # some substituted configuration parameters conf_user= @conf_user@ @@ -200,7 +201,8 @@ -DUSERDIR_SUFFIX=\$(suexec_userdir)\ \ -DLOG_EXEC=\$(suexec_logexec)\ \ -DDOC_ROOT=\$(suexec_docroot)\ \ - -DSAFE_PATH=\$(suexec_safepath)\ ' \ + -DSAFE_PATH=\$(suexec_safepath)\ \ + $(suexec_umask)' \ suexec; \ fi @echo === $(SRC)/support 1.115 +15 -1 apache-1.3/configure Index: configure === RCS file: /home/cvs/apache-1.3/configure,v retrieving revision 1.114 retrieving revision 1.115 diff -u -r1.114 -r1.115 --- configure 1999/12/10 11:03:00 1.114 +++ configure 2000/01/11 19:47:42 1.115 @@ -240,6 +240,8 @@ suexec_uidmin=100 suexec_gidmin=100 suexec_safepath=/usr/local/bin:/usr/bin:/bin +# if the umask is undefined, we don't change it +#suexec_umask=0755 # the installation flags iflags_program=-m 755 -s @@ -449,6 +451,7 @@ echo --suexec-uidmin=UIDset the suEXEC minimal allowed UID [$suexec_uidmin] echo --suexec-gidmin=GIDset the suEXEC minimal allowed GID [$suexec_gidmin] echo --suexec-safepath=PATH set the suEXEC safe PATH [$suexec_safepath] +echo --suexec-umask=UMASK set the umask for the suEXEC'd script [server's umask] echo echo Deprecated options: echo --layout backward compat only: use --show-layout @@ -976,6 +979,11 @@ suexec_safepath=$apc_optarg suexec_ok=1 ;; +--suexec-umask=*) +suexec_umask_val=$apc_optarg +suexec_umask=-DSUEXEC_UMASK=$apc_optarg +suexec_ok=1 +;; --server-uid=*) conf_user=$apc_optarg # protect the '#' against interpretation as comment @@ -1085,7 +1093,7 @@ for var in prefix exec_prefix bindir sbindir libexecdir mandir \ sysconfdir datadir iconsdir htdocsdir cgidir includedir \ localstatedir runtimedir logfiledir proxycachedir \ - suexec_docroot suexec_logexec; do + suexec_docroot suexec_logexec ; do eval val=\\$$var\; val=`echo $val | sed -e 's:\(.\)/*$:\1:'` eval $var=\$val\ @@ -1240,6 +1248,11 @@ echo caller ID: $suexec_caller echo minimum user ID: $suexec_uidmin echo minimum group ID: $suexec_gidmin +if [ x$suexec_umask != x ]; then +echo umask: $suexec_umask_val + else +echo umask: running server's +fi echo fi exit 0 @@ -1290,6 +1303,7 @@ -e [EMAIL PROTECTED]@%$suexec_uidmin%g \ -e [EMAIL PROTECTED]@%$suexec_gidmin%g \ -e [EMAIL PROTECTED]@%$suexec_safepath%g \ +-e [EMAIL PROTECTED]@%$suexec_umask%g \ -e [EMAIL PROTECTED]@%$conf_user%g \ -e [EMAIL
cvs commit: apache-1.3/src/support suexec.c
martin 99/02/21 12:36:45 Modified:src/support suexec.c Log: Use ap_execve() on platforms where exec() doesn support #! Revision ChangesPath 1.50 +9 -0 apache-1.3/src/support/suexec.c Index: suexec.c === RCS file: /export/home/cvs/apache-1.3/src/support/suexec.c,v retrieving revision 1.49 retrieving revision 1.50 diff -u -r1.49 -r1.50 --- suexec.c 1999/02/16 13:41:00 1.49 +++ suexec.c 1999/02/21 20:36:44 1.50 @@ -541,7 +541,16 @@ /* * Execute the command, replacing our image with its own. */ +#ifdef NEED_HASHBANG_EMUL +/* We need the #! emulation when we want to execute scripts */ +{ + extern char **environ; + + ap_execve(cmd, argv[3], environ); +} +#else /*NEED_HASHBANG_EMUL*/ execv(cmd, argv[3]); +#endif /*NEED_HASHBANG_EMUL*/ /* * (I can't help myself...sorry.)
cvs commit: apache-1.3/src/support suexec.c
martin 99/02/16 05:41:01 Modified:src/support suexec.c Log: Initialize Job Environment on BS2000 (not relevant for any other platform) Revision ChangesPath 1.49 +27 -0 apache-1.3/src/support/suexec.c Index: suexec.c === RCS file: /export/home/cvs/apache-1.3/src/support/suexec.c,v retrieving revision 1.48 retrieving revision 1.49 diff -u -r1.48 -r1.49 --- suexec.c 1999/01/01 19:05:35 1.48 +++ suexec.c 1999/02/16 13:41:00 1.49 @@ -341,6 +341,33 @@ actual_gname = strdup(target_gname); } +#ifdef _OSD_POSIX +/* + * Initialize BS2000 user environment + */ +{ + pid_t pid; + int status; + + switch (pid = ufork(target_uname)) + { + case -1:/* Error */ + log_err(failed to setup bs2000 environment for user %s: %s\n, + target_uname, strerror(errno)); + exit(150); + case 0: /* Child */ + break; + default:/* Father */ + while (pid != waitpid(pid, status, 0)) + ; + /* @@@ FIXME: should we deal with STOP signals as well? */ + if (WIFSIGNALED(status)) + kill (getpid(), WTERMSIG(status)); + exit(WEXITSTATUS(status)); + } +} +#endif /*_OSD_POSIX*/ + /* * Save these for later since initgroups will hose the struct */
cvs commit: apache-1.3/src/support suexec.c
coar98/12/17 06:58:57 Modified:src CHANGES src/support suexec.c Log: fclose(NULL) isn't always a good idea. Submitted by: Rick Franchuk [EMAIL PROTECTED] Reviewed by: Ken Coar Revision ChangesPath 1.1172+3 -0 apache-1.3/src/CHANGES Index: CHANGES === RCS file: /home/cvs/apache-1.3/src/CHANGES,v retrieving revision 1.1171 retrieving revision 1.1172 diff -u -r1.1171 -r1.1172 --- CHANGES 1998/12/16 15:57:26 1.1171 +++ CHANGES 1998/12/17 14:58:55 1.1172 @@ -1,5 +1,8 @@ Changes with Apache 1.3.4 + *) Fixed problem of fclose() on an unopened file in suexec if LOG_EXEC + wasn't defined. [Rick Franchuk [EMAIL PROTECTED]] + *) Removed recently introduced bugs and disfigurements in APACI: o fixed argument line processing: using $args was broken: It was not initialized and using args=$args $apc_option and even args=$args 1.47 +11 -5 apache-1.3/src/support/suexec.c Index: suexec.c === RCS file: /home/cvs/apache-1.3/src/support/suexec.c,v retrieving revision 1.46 retrieving revision 1.47 diff -u -r1.46 -r1.47 --- suexec.c 1998/09/16 20:51:08 1.46 +++ suexec.c 1998/12/17 14:58:57 1.47 @@ -109,7 +109,7 @@ #define AP_ENVBUF 256 extern char **environ; -static FILE *log; +static FILE *log = NULL; char *safe_env_lst[] = { @@ -500,10 +500,16 @@ /* * Be sure to close the log file so the CGI can't * mess with it. If the exec fails, it will be reopened - * automatically when log_err is called. - */ -fclose(log); -log = NULL; + * automatically when log_err is called. Note that the log + * might not actually be open if LOG_EXEC isn't defined. + * However, the log cell isn't ifdef'd so let's be defensive + * and assume someone might have done something with it + * outside an ifdef'd LOG_EXEC block. + */ +if (log != NULL) { + fclose(log); + log = NULL; +} /* * Execute the command, replacing our image with its own.
cvs commit: apache-1.3/src/support suexec.c
manoj 98/09/16 13:51:09 Modified:src/support suexec.c Log: Fix a missing semicolon Revision ChangesPath 1.46 +1 -1 apache-1.3/src/support/suexec.c Index: suexec.c === RCS file: /export/home/cvs/apache-1.3/src/support/suexec.c,v retrieving revision 1.45 retrieving revision 1.46 diff -u -r1.45 -r1.46 --- suexec.c 1998/09/10 09:23:59 1.45 +++ suexec.c 1998/09/16 20:51:08 1.46 @@ -211,7 +211,7 @@ sprintf(pathbuf, PATH=%s, SAFE_PATH); cleanenv[cidx] = strdup(pathbuf); -cidx++ +cidx++; for (ep = environ; *ep cidx AP_ENVBUF-1; ep++) { if (!strncmp(*ep, HTTP_, 5)) {
cvs commit: apache-1.3/src/support suexec.c
rse 98/09/10 02:23:59 Modified:src CHANGES src/support suexec.c Log: Fix possible buffer overflow situation in suexec.c. PS: The PR#2790 provides a few more fixes for problematic things in suexec.c. Because we have to be very carefully here, other should review them, too. That's why I commit only some of the fixes from this patch. The other problem we _really_ have to fix is the docroot-check at line 428. But here the patch from the PR submitter seems to introduce a new problem: It accesses cwd[dlen] which can be out of memory bounds. Here memory bounds have to checked first. So, I would appreciate when someothers look at PR#2790, please. At least the docroot-check _has_ to be fixed by us! But correctly, i.e. without introducing new problems, of course ;_) Submitted by: Jeff Stewart [EMAIL PROTECTED] Reviewed by: Ralf S. Engelschall PR: 2790 Revision ChangesPath 1.1054+3 -0 apache-1.3/src/CHANGES Index: CHANGES === RCS file: /export/home/cvs/apache-1.3/src/CHANGES,v retrieving revision 1.1053 retrieving revision 1.1054 diff -u -r1.1053 -r1.1054 --- CHANGES 1998/09/10 08:58:40 1.1053 +++ CHANGES 1998/09/10 09:23:57 1.1054 @@ -1,5 +1,8 @@ Changes with Apache 1.3.2 + *) Fix possible buffer overflow situation in suexec.c. + [Jeff Stewart [EMAIL PROTECTED]] PR#2790 + *) Add some more LIBS for the SCO5 platform which are needed for the already used -lprot. It's actually a bug in SCO5, of course. [Ronald Record [EMAIL PROTECTED]] PR#2533 1.45 +6 -4 apache-1.3/src/support/suexec.c Index: suexec.c === RCS file: /export/home/cvs/apache-1.3/src/support/suexec.c,v retrieving revision 1.44 retrieving revision 1.45 diff -u -r1.44 -r1.45 --- suexec.c 1998/07/13 11:32:59 1.44 +++ suexec.c 1998/09/10 09:23:59 1.45 @@ -209,7 +209,11 @@ exit(120); } -for (ep = environ; *ep cidx AP_ENVBUF; ep++) { +sprintf(pathbuf, PATH=%s, SAFE_PATH); +cleanenv[cidx] = strdup(pathbuf); +cidx++ + +for (ep = environ; *ep cidx AP_ENVBUF-1; ep++) { if (!strncmp(*ep, HTTP_, 5)) { cleanenv[cidx] = *ep; cidx++; @@ -226,9 +230,7 @@ } } -sprintf(pathbuf, PATH=%s, SAFE_PATH); -cleanenv[cidx] = strdup(pathbuf); -cleanenv[++cidx] = NULL; +cleanenv[cidx] = NULL; environ = cleanenv; }
cvs commit: apache-1.3/src/support suexec.c
coar98/07/07 16:19:24 Modified:src CHANGES src/support suexec.c Log: Put back the bits that aren't controversial. :-) Revision ChangesPath 1.950 +2 -0 apache-1.3/src/CHANGES Index: CHANGES === RCS file: /export/home/cvs/apache-1.3/src/CHANGES,v retrieving revision 1.949 retrieving revision 1.950 diff -u -r1.949 -r1.950 --- CHANGES 1998/07/07 17:23:19 1.949 +++ CHANGES 1998/07/07 23:19:22 1.950 @@ -1,5 +1,7 @@ Changes with Apache 1.3.1 + *) suexec's error messages have been clarified a little bit. [Ken Coar] + *) PORT: Apache is not 8-bit clean in many settings, a problem we're aware of and intend to fix properly. But a temporary workaround which should work for many folks is to tell the C compiler to use 1.43 +4 -4 apache-1.3/src/support/suexec.c Index: suexec.c === RCS file: /export/home/cvs/apache-1.3/src/support/suexec.c,v retrieving revision 1.42 retrieving revision 1.43 diff -u -r1.42 -r1.43 --- suexec.c 1998/07/07 17:04:19 1.42 +++ suexec.c 1998/07/07 23:19:24 1.43 @@ -205,7 +205,7 @@ if ((cleanenv = (char **) calloc(AP_ENVBUF, sizeof(char *))) == NULL) { - log_err(failed to malloc env mem\n); +log_err(failed to malloc memory for environment\n); exit(120); } @@ -283,12 +283,12 @@ #ifdef _OSD_POSIX /* User name comparisons are case insensitive on BS2000/OSD */ if (strcasecmp(HTTPD_USER, pw-pw_name)) { - log_err(user mismatch (%s)\n, pw-pw_name); +log_err(user mismatch (%s instead of %s)\n, pw-pw_name, HTTPD_USER); exit(103); } #else /*_OSD_POSIX*/ if (strcmp(HTTPD_USER, pw-pw_name)) { - log_err(user mismatch (%s)\n, pw-pw_name); +log_err(user mismatch (%s instead of %s)\n, pw-pw_name, HTTPD_USER); exit(103); } #endif /*_OSD_POSIX*/ @@ -350,7 +350,7 @@ * Log the transaction here to be sure we have an open log * before we setuid(). */ -log_err(uid: (%s/%s) gid: (%s/%s) %s\n, +log_err(uid: (%s/%s) gid: (%s/%s) cmd: %s\n, target_uname, actual_uname, target_gname, actual_gname, cmd);
Re: cvs commit: apache-1.3/src/support suexec.c
Yes, there was a PR on this, #2250. It has been closed, but the message was excessively cryptic and didn't help, so I was making it a little more meaningful. I was going to address Marc's concerns to-night. Please restore 1.40, and stop reverting other people's work without checking with them first - particularly when, as you indicated in your commit message, you're not familiar with the issues. #kenP-|}
cvs commit: apache-1.3/src/support suexec.c
coar98/07/01 03:34:21 Modified:src/support suexec.c Log: Redo the 'too few arguments' error reporting in a way that doesn't do excessive unsafe string copying (which Marc pointed out was a flaw in the last edit). Revision ChangesPath 1.41 +27 -1 apache-1.3/src/support/suexec.c Index: suexec.c === RCS file: /export/home/cvs/apache-1.3/src/support/suexec.c,v retrieving revision 1.40 retrieving revision 1.41 diff -u -r1.40 -r1.41 --- suexec.c 1998/06/20 11:07:38 1.40 +++ suexec.c 1998/07/01 10:34:20 1.41 @@ -261,10 +261,36 @@ if (argc 4) { char msgbuf[2048]; int i; + int clen; + static char *omsg = {buffer overflow}; + int olen = strlen(omsg); ap_snprintf(msgbuf, sizeof(msgbuf), too few (%d) arguments:, argc); + clen = strlen(msgbuf); for (i = 0; i argc; i++) { - ap_snprintf(msgbuf, sizeof(msgbuf), %s [%s], msgbuf, argv[i]); + int alen = strlen(argv[i]) + 4; + int rlen = sizeof(msgbuf) - clen - 1; + int oflow = (alen rlen); + + alen = oflow ? rlen : alen; + if (rlen 1) { + msgbuf[clen++] = ' '; + alen--; + } + if (rlen 2) { + msgbuf[clen++] = '['; + alen--; + } + ap_cpystrn(msgbuf[clen], argv[i], alen); + if (oflow) { + ap_cpystrn(msgbuf[sizeof(msgbuf) - olen - 1], omsg, olen + 1); + break; + } + else { + clen += alen - 2; + msgbuf[clen++] = ']'; + msgbuf[clen] = '\0'; + } } log_err(%s\n, msgbuf); exit(101);
cvs commit: apache-1.3/src/support suexec.c
coar98/06/18 12:06:57 Modified:src/support suexec.c Log: A wee bit of cleanup (cosmetic only). Revision ChangesPath 1.39 +8 -7 apache-1.3/src/support/suexec.c Index: suexec.c === RCS file: /export/home/cvs/apache-1.3/src/support/suexec.c,v retrieving revision 1.38 retrieving revision 1.39 diff -u -r1.38 -r1.39 --- suexec.c 1998/04/21 20:14:06 1.38 +++ suexec.c 1998/06/18 19:06:56 1.39 @@ -161,12 +161,13 @@ time_t timevar; struct tm *lt; -if (!log) +if (!log) { if ((log = fopen(LOG_EXEC, a)) == NULL) { fprintf(stderr, failed to open log file\n); perror(fopen); exit(1); } +} time(timevar); lt = localtime(timevar); @@ -215,7 +216,8 @@ } else { for (idx = 0; safe_env_lst[idx]; idx++) { - if (!strncmp(*ep, safe_env_lst[idx], strlen(safe_env_lst[idx]))) { + if (!strncmp(*ep, safe_env_lst[idx], + strlen(safe_env_lst[idx]))) { cleanenv[cidx] = *ep; cidx++; break; @@ -239,8 +241,8 @@ char *target_uname; /* target user name */ char *target_gname; /* target group name */ char *target_homedir;/* target home directory */ -char *actual_uname; /* actual user name*/ -char *actual_gname; /* actual group name */ +char *actual_uname; /* actual user name */ +char *actual_gname; /* actual group name */ char *prog; /* name of this program */ char *cmd; /* command to be executed*/ char cwd[AP_MAXPATH];/* current working directory */ @@ -250,8 +252,6 @@ struct stat dir_info;/* directory info holder */ struct stat prg_info;/* program info holder */ - - /* * If there are a proper number of arguments, set * all of them to variables. Otherwise, error out. @@ -476,7 +476,8 @@ (gid != dir_info.st_gid) || (uid != prg_info.st_uid) || (gid != prg_info.st_gid)) { - log_err(target uid/gid (%ld/%ld) mismatch with directory (%ld/%ld) or program (%ld/%ld)\n, + log_err(target uid/gid (%ld/%ld) mismatch + with directory (%ld/%ld) or program (%ld/%ld)\n, uid, gid, dir_info.st_uid, dir_info.st_gid, prg_info.st_uid, prg_info.st_gid);
cvs commit: apache-1.3/src/support suexec.c
martin 98/03/20 03:33:02 Modified:src/support suexec.c Log: Add the same conditions for initgroups() existance as we use in apache's conf.h; Add case insensitivity for BS2000's user name comparison (yes, that's how it is); Add an error message if the executable isn't executable. Revision ChangesPath 1.36 +18 -1 apache-1.3/src/support/suexec.c Index: suexec.c === RCS file: /home/cvs/apache-1.3/src/support/suexec.c,v retrieving revision 1.35 retrieving revision 1.36 diff -u -u -r1.35 -r1.36 --- suexec.c 1998/03/19 09:56:43 1.35 +++ suexec.c 1998/03/20 11:33:00 1.36 @@ -94,7 +94,7 @@ *** */ -#if defined(QNX) +#if defined(QNX) || defined(_OSD_POSIX) || defined(MPE) || defined(SCO) || defined(BEOS) int initgroups(const char *name, gid_t basegid) { /* QNX and MPE do not appear to support supplementary groups. */ @@ -284,10 +284,18 @@ * is the user allowed to do so as defined in * suexec.h. If not the allowed user, error out. */ +#ifdef _OSD_POSIX +/* User name comparisons are case insensitive on BS2000/OSD */ +if (strcasecmp(HTTPD_USER, pw-pw_name)) { + log_err(user mismatch (%s)\n, pw-pw_name); + exit(103); +} +#else /*_OSD_POSIX*/ if (strcmp(HTTPD_USER, pw-pw_name)) { log_err(user mismatch (%s)\n, pw-pw_name); exit(103); } +#endif /*_OSD_POSIX*/ /* * Check for a leading '/' (absolute path) in the command to be executed, @@ -477,6 +485,15 @@ dir_info.st_uid, dir_info.st_gid, prg_info.st_uid, prg_info.st_gid); exit(120); +} +/* + * Error out if the program is not executable for the user. + * Otherwise, she won't find any error in the logs except for + * [error] Premature end of script headers: ... + */ +if (!(prg_info.st_mode S_IXUSR)) { + log_err(file has no execute permission: (%s/%s)\n, cwd, cmd); + exit(121); } clean_env();