From a7f818f5e393d361ad61008a09471f6e2177828b Mon Sep 17 00:00:00 2001 From: Jim Jagielski Date: Wed, 30 May 2018 19:09:00 +0000 Subject: [PATCH] Merge r1341905, r1342065, r1341930, r1345147, r1344712, r1814465 from trunk: suexec: Add support for logging to syslog as an alternative to a logfile. * support/suexec.c (err_output) [AP_LOG_SYSLOG]: Log to syslog. (main): Close syslog fd if open, before execv. Add -V output for AP_LOG_SYSLOG. * configure.in: Add --with-suexec-syslog argument; allow --without-suexec-logfile to omit definition of AP_LOG_EXEC. suexec: Support use of setgid/setuid capability bits on Linux, a weaker set of privileges than the full setuid/setgid root binary. * configure.in: Add --enable-suexec-capabilites flag. * Makefile.in: If configured, use setcap instead of chmod 7555 on installed suexec binary. * modules/arch/unix/mod_unixd.c (unixd_pre_config): Drop test for setuid bit if capability bits are used. * docs/manual/: Add docs. * docs/manual/suexec.html.en: Update for syslog logging. * configure.in: Correct handling of --with-suexec-logfile in r1341905, thanks to rpluem. * support/suexec.c: Define AP_LOG_FACILITY. (err_output): Use AP_LOG_FACILITY for syslog facility. Suggested by: kbrand * configure.in: Fix help text for --with-suexec-syslog. Submitted by: jorton Reviewed by: jorton, ylavic, jim git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1832565 13f79535-47bb-0310-9956-ffa450edef68 --- CHANGES | 8 ++++++++ Makefile.in | 15 ++++++++++++-- STATUS | 11 ----------- configure.in | 30 +++++++++++++++++++++++++++- docs/manual/suexec.html.en | 32 ++++++++++++++++++++++++++---- modules/arch/unix/mod_unixd.c | 9 ++++++++- support/suexec.c | 37 +++++++++++++++++++++++++++++++++-- 7 files changed, 121 insertions(+), 21 deletions(-) diff --git a/CHANGES b/CHANGES index af2ebee43f..780f729d30 100644 --- a/CHANGES +++ b/CHANGES @@ -1,6 +1,14 @@ -*- coding: utf-8 -*- Changes with Apache 2.4.34 + *) suexec: Add --enable-suexec-capabilites support on Linux, to use + setuid/setgid capability bits rather than a setuid root binary. + [Joe Orton] + + *) suexec: Add support for logging to syslog as an alternative to + logging to a file; use --without-suexec-logfile --with-suexec-syslog. + [Joe Orton] + *) mod_ssl: Restore 2.4.29 behaviour in SSL vhost merging/enabling which broke some rare but previously-working configs. [Joe Orton] diff --git a/Makefile.in b/Makefile.in index 6ded87eb0b..f667534fb1 100644 --- a/Makefile.in +++ b/Makefile.in @@ -269,11 +269,22 @@ install-man: cd $(DESTDIR)$(manualdir) && find . -name ".svn" -type d -print | xargs rm -rf 2>/dev/null || true; \ fi -install-suexec: +install-suexec: install-suexec-binary install-suexec-$(INSTALL_SUEXEC) + +install-suexec-binary: @if test -f $(builddir)/support/suexec; then \ test -d $(DESTDIR)$(sbindir) || $(MKINSTALLDIRS) $(DESTDIR)$(sbindir); \ $(INSTALL_PROGRAM) $(top_builddir)/support/suexec $(DESTDIR)$(sbindir); \ - chmod 4755 $(DESTDIR)$(sbindir)/suexec; \ + fi + +install-suexec-setuid: + @if test -f $(builddir)/support/suexec; then \ + chmod 4755 $(DESTDIR)$(sbindir)/suexec; \ + fi + +install-suexec-caps: + @if test -f $(builddir)/support/suexec; then \ + setcap 'cap_setuid,cap_setgid+pe' $(DESTDIR)$(sbindir)/suexec; \ fi suexec: diff --git a/STATUS b/STATUS index a0b26db664..b0da0b710b 100644 --- a/STATUS +++ b/STATUS @@ -135,17 +135,6 @@ RELEASE SHOWSTOPPERS: PATCHES ACCEPTED TO BACKPORT FROM TRUNK: [ start all new proposals below, under PATCHES PROPOSED. ] - *) suexec: Support logging to syslog and Linux capabilities. - trunk patch: http://svn.apache.org/r1341905 - http://svn.apache.org/r1341930 - http://svn.apache.org/r1342065 - http://svn.apache.org/r1345147 - http://svn.apache.org/r1344712 - http://svn.apache.org/r1814465 - 2.4.x patch: http://people.apache.org/~jorton/ap_suexec_jumbo.patch - or svn merge -c 1341905,1342065,1341930,1345147,1344712,1814465 ^/httpd/httpd/trunk . - +1: jorton, ylavic, jim - *) mod_http2: Restore keepalive timing of v1.10.16, see https://github.com/icing/mod_h2/issues/160. trunk patch: http://svn.apache.org/1830562 2.4.x patch: https://svn.apache.org/repos/asf/httpd/httpd/patches/2.4.x/h2_keepalive_restore.patch diff --git a/configure.in b/configure.in index 761e836624..9feacebf98 100644 --- a/configure.in +++ b/configure.in @@ -744,7 +744,26 @@ APACHE_HELP_STRING(--with-suexec-gidmin,Minimal allowed GID),[ AC_ARG_WITH(suexec-logfile, APACHE_HELP_STRING(--with-suexec-logfile,Set the logfile),[ - AC_DEFINE_UNQUOTED(AP_LOG_EXEC, "$withval", [SuExec log file] ) ] ) + if test "x$withval" = "xyes"; then + AC_MSG_ERROR([log filename required for --with-suexec-logfile option]) + elif test "x$withval" != "xno"; then + AC_DEFINE_UNQUOTED(AP_LOG_EXEC, "$withval", [SuExec log file]) + fi +]) + +AC_ARG_WITH(suexec-syslog, +APACHE_HELP_STRING(--with-suexec-syslog,Use syslog for suexec logging),[ + if test $withval = "yes"; then + if test "x${with_suexec_logfile}" != "xno"; then + AC_MSG_NOTICE([hint: use "--without-suexec-logfile --with-suexec-syslog"]) + AC_MSG_ERROR([suexec does not support both logging to file and syslog]) + fi + AC_CHECK_FUNCS([vsyslog], [], [ + AC_MSG_ERROR([cannot support syslog from suexec without vsyslog()])]) + AC_DEFINE(AP_LOG_SYSLOG, 1, [SuExec log to syslog]) + fi +]) + AC_ARG_WITH(suexec-safepath, APACHE_HELP_STRING(--with-suexec-safepath,Set the safepath),[ @@ -754,6 +773,15 @@ AC_ARG_WITH(suexec-umask, APACHE_HELP_STRING(--with-suexec-umask,umask for suexec'd process),[ AC_DEFINE_UNQUOTED(AP_SUEXEC_UMASK, 0$withval, [umask for suexec'd process] ) ] ) +INSTALL_SUEXEC=setuid +AC_ARG_ENABLE([suexec-capabilities], +APACHE_HELP_STRING(--enable-suexec-capabilities,Use Linux capability bits not setuid root suexec), [ +INSTALL_SUEXEC=caps +AC_DEFINE(AP_SUEXEC_CAPABILITIES, 1, + [Enable if suexec is installed with Linux capabilities, not setuid]) +]) +APACHE_SUBST(INSTALL_SUEXEC) + dnl APR should go after the other libs, so the right symbols can be picked up if test x${apu_found} != xobsolete; then AP_LIBS="$AP_LIBS `$apu_config --avoid-ldap --link-libtool --libs`" diff --git a/docs/manual/suexec.html.en b/docs/manual/suexec.html.en index 526e79301c..63f7bad5dc 100644 --- a/docs/manual/suexec.html.en +++ b/docs/manual/suexec.html.en @@ -374,6 +374,21 @@ together with the --enable-suexec option to let APACI accept your request for using the suEXEC feature. +
--enable-suexec-capabilities
+ +
Linux specific: Normally, + the suexec binary is installed "setuid/setgid + root", which allows it to run with the full privileges of the + root user. If this option is used, the suexec + binary will instead be installed with only the setuid/setgid + "capability" bits set, which is the subset of full root + priviliges required for suexec operation. Note that + the suexec binary may not be able to write to a log + file in this mode; it is recommended that the + --with-suexec-syslog --without-suexec-logfile + options are used in conjunction with this mode, so that syslog + logging is used instead.
+
--with-suexec-bin=PATH
The path to the suexec binary must be hard-coded @@ -435,6 +450,12 @@ "suexec_log" and located in your standard logfile directory (--logfiledir).
+
--with-suexec-syslog
+ +
If defined, suexec will log notices and errors to syslog + instead of a logfile. This option must be combined + with --without-suexec-logfile.
+
--with-suexec-safepath=PATH
Define a safe PATH environment to pass to CGI @@ -550,9 +571,12 @@ Group webgroup

The suEXEC wrapper will write log information to the file defined with the --with-suexec-logfile - option as indicated above. If you feel you have configured and - installed the wrapper properly, have a look at this log and the - error_log for the server to see where you may have gone astray.

+ option as indicated above, or to syslog if --with-suexec-syslog + is used. If you feel you have configured and + installed the wrapper properly, have a look at the log and the + error_log for the server to see where you may have gone astray. + The output of "suexec -V" will show the options + used to compile suexec, if using a binary distribution.

top
@@ -640,4 +664,4 @@ if (typeof(prettyPrint) !== 'undefined') { prettyPrint(); } //--> - \ No newline at end of file + diff --git a/modules/arch/unix/mod_unixd.c b/modules/arch/unix/mod_unixd.c index f6e9500736..1baa278c3f 100644 --- a/modules/arch/unix/mod_unixd.c +++ b/modules/arch/unix/mod_unixd.c @@ -284,6 +284,13 @@ unixd_set_suexec(cmd_parms *cmd, void *dummy, int arg) return NULL; } +#ifdef AP_SUEXEC_CAPABILITIES +/* If suexec is using capabilities, don't test for the setuid bit. */ +#define SETUID_TEST(finfo) (1) +#else +#define SETUID_TEST(finfo) (finfo.protection & APR_USETID) +#endif + static int unixd_pre_config(apr_pool_t *pconf, apr_pool_t *plog, apr_pool_t *ptemp) @@ -300,7 +307,7 @@ unixd_pre_config(apr_pool_t *pconf, apr_pool_t *plog, ap_unixd_config.suexec_enabled = 0; if ((apr_stat(&wrapper, SUEXEC_BIN, APR_FINFO_NORM, ptemp)) == APR_SUCCESS) { - if ((wrapper.protection & APR_USETID) && wrapper.user == 0 + if (SETUID_TEST(wrapper) && wrapper.user == 0 && (access(SUEXEC_BIN, R_OK|X_OK) == 0)) { ap_unixd_config.suexec_enabled = 1; ap_unixd_config.suexec_disabled_reason = ""; diff --git a/support/suexec.c b/support/suexec.c index 0b2491e28b..0b52495b40 100644 --- a/support/suexec.c +++ b/support/suexec.c @@ -58,6 +58,10 @@ #include #endif +#ifdef AP_LOG_SYSLOG +#include +#endif + #if defined(PATH_MAX) #define AP_MAXPATH PATH_MAX #elif defined(MAXPATHLEN) @@ -69,7 +73,20 @@ #define AP_ENVBUF 256 extern char **environ; + +#ifdef AP_LOG_SYSLOG +/* Syslog support. */ +#if !defined(AP_LOG_FACILITY) && defined(LOG_AUTHPRIV) +#define AP_LOG_FACILITY LOG_AUTHPRIV +#elif !defined(AP_LOG_FACILITY) +#define AP_LOG_FACILITY LOG_AUTH +#endif + +static int log_open; +#else +/* Non-syslog support. */ static FILE *log = NULL; +#endif static const char *const safe_env_lst[] = { @@ -138,7 +155,14 @@ static void err_output(int is_error, const char *fmt, va_list ap) static void err_output(int is_error, const char *fmt, va_list ap) { -#ifdef AP_LOG_EXEC +#if defined(AP_LOG_SYSLOG) + if (!log_open) { + openlog("suexec", LOG_PID, AP_LOG_FACILITY); + log_open = 1; + } + + vsyslog(is_error ? LOG_ERR : LOG_INFO, fmt, ap); +#elif defined(AP_LOG_EXEC) time_t timevar; struct tm *lt; @@ -300,7 +324,9 @@ int main(int argc, char *argv[]) #ifdef AP_HTTPD_USER fprintf(stderr, " -D AP_HTTPD_USER=\"%s\"\n", AP_HTTPD_USER); #endif -#ifdef AP_LOG_EXEC +#if defined(AP_LOG_SYSLOG) + fprintf(stderr, " -D AP_LOG_SYSLOG\n"); +#elif defined(AP_LOG_EXEC) fprintf(stderr, " -D AP_LOG_EXEC=\"%s\"\n", AP_LOG_EXEC); #endif #ifdef AP_SAFE_PATH @@ -603,6 +629,12 @@ int main(int argc, char *argv[]) #endif /* AP_SUEXEC_UMASK */ /* Be sure to close the log file so the CGI can't mess with it. */ +#ifdef AP_LOG_SYSLOG + if (log_open) { + closelog(); + log_open = 0; + } +#else if (log != NULL) { #if APR_HAVE_FCNTL_H /* @@ -624,6 +656,7 @@ int main(int argc, char *argv[]) log = NULL; #endif } +#endif /* * Execute the command, replacing our image with its own. -- 2.40.0