From: Ryan Bloom Date: Sat, 23 Dec 2000 03:15:16 +0000 (+0000) Subject: Allow SuExec to be configured from the ./configure command line X-Git-Tag: APACHE_2_0_BETA_CANDIDATE_1~324 X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=72cbd26d26e320659f8399ed39095c7d6b256983;p=apache Allow SuExec to be configured from the ./configure command line git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@87521 13f79535-47bb-0310-9956-ffa450edef68 --- diff --git a/CHANGES b/CHANGES index 60e855ac2f..e41a105c01 100644 --- a/CHANGES +++ b/CHANGES @@ -1,5 +1,8 @@ Changes with Apache 2.0b1 + *) Allow SuExec to be configured from the ./configure command line. + [Ryan Bloom] + *) Update some of the docs in README and INSTALL to reflect some of the changes in Apache 2.0 [Cliff Woolley ] diff --git a/configure.in b/configure.in index 120c718efa..fe2160b83d 100644 --- a/configure.in +++ b/configure.in @@ -169,6 +169,35 @@ AC_ARG_WITH(program-name, progname="$withval" ], [ progname="httpd"] ) +# SuExec parameters +AC_ARG_WITH(suexec-caller, +[ --with-suexec-caller=User allowed to call SuExec],[ + AC_DEFINE_UNQUOTED(AP_HTTPD_USER, $withval, [User allowed to call SuExec] ) ] ) + +AC_ARG_WITH(suexec-userdir, +[ --with-suexec-userdir=User subdirectory],[ + AC_DEFINE_UNQUOTED(AP_USERDIR_SUFFIX, $withval, [User subdirectory] ) ] ) + +AC_ARG_WITH(suexec-docroot, +[ --with-suexec-docroot=SuExec root directory],[ + AC_DEFINE_UNQUOTED(AP_DOC_ROOT, $withval, [SuExec root directory] ) ] ) + +AC_ARG_WITH(suexec-uidmin, +[ --with-suexec-uidmin=Minimal allowed UID],[ + AC_DEFINE_UNQUOTED(AP_UID_MIN, $withval, [Minimal allowed UID] ) ] ) + +AC_ARG_WITH(suexec-gidmin, +[ --with-suexec-gidmin=Minimal allowed GID],[ + AC_DEFINE_UNQUOTED(AP_GID_MIN, $withval, [Minimal allowed GID] ) ] ) + +AC_ARG_WITH(suexec-logfile, +[ --with-suexec-logfile=Set the logfile],[ + AC_DEFINE_UNQUOTED(AP_LOG_EXEC, $withval, [SuExec log file] ) ] ) + +AC_ARG_WITH(suexec-safepath, +[ --with-suexec-safepath=Set the safepath],[ + AC_DEFINE_UNQUOTED(AP_SAFE_PATH, $withval, [safe shell path for SuExec] ) ] ) + dnl ### util_xml is always included, so we always need Expat (for now) apache_need_expat=yes diff --git a/support/suexec.c b/support/suexec.c index b1d24e6d9b..46aefdee1d 100644 --- a/support/suexec.c +++ b/support/suexec.c @@ -68,6 +68,7 @@ * */ +#include "ap_config_auto.h" #include "ap_config.h" #include #include @@ -163,12 +164,12 @@ char *safe_env_lst[] = static void err_output(const char *fmt, va_list ap) { -#ifdef LOG_EXEC +#ifdef AP_LOG_EXEC time_t timevar; struct tm *lt; if (!log) { - if ((log = fopen(LOG_EXEC, "a")) == NULL) { + if ((log = fopen(AP_LOG_EXEC, "a")) == NULL) { fprintf(stderr, "failed to open log file\n"); perror("fopen"); exit(1); @@ -185,19 +186,19 @@ static void err_output(const char *fmt, va_list ap) vfprintf(log, fmt, ap); fflush(log); -#endif /* LOG_EXEC */ +#endif /* AP_LOG_EXEC */ return; } static void log_err(const char *fmt,...) { -#ifdef LOG_EXEC +#ifdef AP_LOG_EXEC va_list ap; va_start(ap, fmt); err_output(fmt, ap); va_end(ap); -#endif /* LOG_EXEC */ +#endif /* AP_LOG_EXEC */ return; } @@ -215,7 +216,7 @@ static void clean_env(void) exit(120); } - sprintf(pathbuf, "PATH=%s", SAFE_PATH); + sprintf(pathbuf, "PATH=%s", AP_SAFE_PATH); cleanenv[cidx] = strdup(pathbuf); cidx++; @@ -291,13 +292,13 @@ int main(int argc, char *argv[]) */ #ifdef _OSD_POSIX /* User name comparisons are case insensitive on BS2000/OSD */ - if (strcasecmp(HTTPD_USER, pw->pw_name)) { - log_err("user mismatch (%s instead of %s)\n", pw->pw_name, HTTPD_USER); + if (strcasecmp(AP_HTTPD_USER, pw->pw_name)) { + log_err("user mismatch (%s instead of %s)\n", pw->pw_name, AP_HTTPD_USER); exit(103); } #else /*_OSD_POSIX*/ - if (strcmp(HTTPD_USER, pw->pw_name)) { - log_err("user mismatch (%s instead of %s)\n", pw->pw_name, HTTPD_USER); + if (strcmp(AP_HTTPD_USER, pw->pw_name)) { + log_err("user mismatch (%s instead of %s)\n", pw->pw_name, AP_HTTPD_USER); exit(103); } #endif /*_OSD_POSIX*/ @@ -401,18 +402,18 @@ int main(int argc, char *argv[]) /* * Error out if attempt is made to execute as root or as - * a UID less than UID_MIN. Tsk tsk. + * a UID less than AP_UID_MIN. Tsk tsk. */ - if ((uid == 0) || (uid < UID_MIN)) { + if ((uid == 0) || (uid < AP_UID_MIN)) { log_err("cannot run as forbidden uid (%d/%s)\n", uid, cmd); exit(107); } /* * Error out if attempt is made to execute as root group - * or as a GID less than GID_MIN. Tsk tsk. + * or as a GID less than AP_GID_MIN. Tsk tsk. */ - if ((gid == 0) || (gid < GID_MIN)) { + if ((gid == 0) || (gid < AP_GID_MIN)) { log_err("cannot run as forbidden gid (%d/%s)\n", gid, cmd); exit(108); } @@ -451,7 +452,7 @@ int main(int argc, char *argv[]) if (userdir) { if (((chdir(target_homedir)) != 0) || - ((chdir(USERDIR_SUFFIX)) != 0) || + ((chdir(AP_USERDIR_SUFFIX)) != 0) || ((getcwd(dwd, AP_MAXPATH)) == NULL) || ((chdir(cwd)) != 0)) { log_err("cannot get docroot information (%s)\n", target_homedir); @@ -459,10 +460,10 @@ int main(int argc, char *argv[]) } } else { - if (((chdir(DOC_ROOT)) != 0) || + if (((chdir(AP_DOC_ROOT)) != 0) || ((getcwd(dwd, AP_MAXPATH)) == NULL) || ((chdir(cwd)) != 0)) { - log_err("cannot get docroot information (%s)\n", DOC_ROOT); + log_err("cannot get docroot information (%s)\n", AP_DOC_ROOT); exit(113); } } @@ -543,10 +544,10 @@ int main(int argc, char *argv[]) * Be sure to close the log file so the CGI can't * mess with it. If the exec fails, it will be reopened * automatically when log_err is called. Note that the log - * might not actually be open if LOG_EXEC isn't defined. + * might not actually be open if AP_LOG_EXEC isn't defined. * However, the "log" cell isn't ifdef'd so let's be defensive * and assume someone might have done something with it - * outside an ifdef'd LOG_EXEC block. + * outside an ifdef'd AP_LOG_EXEC block. */ if (log != NULL) { fclose(log); diff --git a/support/suexec.h b/support/suexec.h index c42f837bd8..a55349df50 100644 --- a/support/suexec.h +++ b/support/suexec.h @@ -66,24 +66,24 @@ * runs. This is the only user allowed to execute * this program. */ -#ifndef HTTPD_USER -#define HTTPD_USER "www" +#ifndef AP_HTTPD_USER +#define AP_HTTPD_USER "www" #endif /* * UID_MIN -- Define this as the lowest UID allowed to be a target user * for suEXEC. For most systems, 500 or 100 is common. */ -#ifndef UID_MIN -#define UID_MIN 100 +#ifndef AP_UID_MIN +#define AP_UID_MIN 100 #endif /* * GID_MIN -- Define this as the lowest GID allowed to be a target group * for suEXEC. For most systems, 100 is common. */ -#ifndef GID_MIN -#define GID_MIN 100 +#ifndef AP_GID_MIN +#define AP_GID_MIN 100 #endif /* @@ -107,8 +107,8 @@ * See the suEXEC documentation for more detailed * information. */ -#ifndef USERDIR_SUFFIX -#define USERDIR_SUFFIX "public_html" +#ifndef AP_USERDIR_SUFFIX +#define AP_USERDIR_SUFFIX "public_html" #endif /* @@ -116,8 +116,8 @@ * transactions and errors logged for auditing and * debugging purposes. */ -#ifndef LOG_EXEC -#define LOG_EXEC "/usr/local/apache/logs/cgi.log" /* Need me? */ +#ifndef AP_LOG_EXEC +#define AP_LOG_EXEC "/usr/local/apache/logs/cgi.log" /* Need me? */ #endif /* @@ -125,16 +125,16 @@ * will be the only hierarchy (aside from UserDirs) * that can be used for suEXEC behavior. */ -#ifndef DOC_ROOT -#define DOC_ROOT "/usr/local/apache/htdocs" +#ifndef AP_DOC_ROOT +#define AP_DOC_ROOT "/usr/local/apache/htdocs" #endif /* * SAFE_PATH -- Define a safe PATH environment to pass to CGI executables. * */ -#ifndef SAFE_PATH -#define SAFE_PATH "/usr/local/bin:/usr/bin:/bin" +#ifndef AP_SAFE_PATH +#define AP_SAFE_PATH "/usr/local/bin:/usr/bin:/bin" #endif #endif /* _SUEXEC_H */