Date: Wed, 28 Apr 2004 11:11:34 +0400 (MSD) From: Denis Shaposhnikov <dsh@vlink.ru> To: FreeBSD-gnats-submit@FreeBSD.org Cc: dsh@neva.vlink.ru Subject: ports/66042: new port: www/suexec13 (standalone suexec from apache-1.3) Message-ID: <200404280711.i3S7BYIw063880@neva.vlink.ru> Resent-Message-ID: <200404280720.i3S7KLYF048476@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 66042 >Category: ports >Synopsis: new port: www/suexec13 (standalone suexec from apache-1.3) >Confidential: no >Severity: non-critical >Priority: low >Responsible: freebsd-ports-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: change-request >Submitter-Id: current-users >Arrival-Date: Wed Apr 28 00:20:21 PDT 2004 >Closed-Date: >Last-Modified: >Originator: Denis Shaposhnikov >Release: FreeBSD 4.9-STABLE i386 >Organization: >Environment: System: FreeBSD neva.vlink.ru 4.9-STABLE FreeBSD 4.9-STABLE #2: Wed Mar 3 14:17:03 MSK 2004 dsh@neva.vlink.ru:/var/FreeBSD/src/sys/compile/NEVA i386 >Description: The suEXEC feature -- introduced in Apache 1.2 -- provides Apache users the ability to run CGI and SSI programs under user IDs different from the user ID of the calling web-server. Normally, when a CGI or SSI program executes, it runs as the same user who is running the web server. Used properly, this feature can reduce considerably the security risks involved with allowing users to develop and run private CGI or SSI programs. However, if suEXEC is improperly configured, it can cause any number of problems and possibly create new holes in your computer's security. If you aren't familiar with managing setuid root programs and the security issues they present, we highly recommend that you not consider using suEXEC. WWW: http://httpd.apache.org/ >How-To-Repeat: # This is a shell archive. Save it in a file, remove anything before # this line, and then unpack it by entering "sh file". Note, it may # create directories; files and directories will be owned by you and # have default permissions. # # This archive contains: # # suexec13/ # suexec13/files # suexec13/files/patch-src-support-Makefile.tmpl # suexec13/files/patch-src-support-suexec.c # suexec13/distinfo # suexec13/pkg-descr # suexec13/Makefile # echo c - suexec13/ mkdir -p suexec13/ > /dev/null 2>&1 echo c - suexec13/files mkdir -p suexec13/files > /dev/null 2>&1 echo x - suexec13/files/patch-src-support-Makefile.tmpl sed 's/^X//' >suexec13/files/patch-src-support-Makefile.tmpl << 'END-of-suexec13/files/patch-src-support-Makefile.tmpl' X--- src/support/Makefile.tmpl.orig Sat Mar 2 20:46:23 2002 X+++ src/support/Makefile.tmpl Tue Oct 22 00:31:18 2002 X@@ -7,7 +7,7 @@ X # LIBS=-L$(SSLLOC)/lib -lssl -lcrypto -lm -lap -los $(EXTRA_LIBS) $(LIBS1) X # INCLUDES=-I$(SSLLOC)/include $(INCLUDES1) $(INCLUDES0) $(EXTRA_INCLUDES) X X-CFLAGS=$(OPTIM) $(CFLAGS1) $(EXTRA_CFLAGS) X+CFLAGS=-DLOGIN_CAP $(OPTIM) $(CFLAGS1) $(EXTRA_CFLAGS) X LIBS=-lm -lap -los $(EXTRA_LIBS) $(LIBS1) X INCLUDES=$(INCLUDES1) $(INCLUDES0) $(EXTRA_INCLUDES) X LDFLAGS=$(LDFLAGS1) $(EXTRA_LDFLAGS) -L$(OSDIR) -L$(SRCDIR)/ap X@@ -50,7 +50,7 @@ X -e 's%@LIBS_SHLIB@%$(LIBS_SHLIB)%g' && chmod a+x apxs X X suexec: suexec.o X- $(CC) $(CFLAGS) -o suexec $(LDFLAGS) suexec.o $(LIBS) X+ $(CC) $(CFLAGS) -lutil -o suexec $(LDFLAGS) suexec.o $(LIBS) X X clean: X rm -f $(TARGETS) *.o END-of-suexec13/files/patch-src-support-Makefile.tmpl echo x - suexec13/files/patch-src-support-suexec.c sed 's/^X//' >suexec13/files/patch-src-support-suexec.c << 'END-of-suexec13/files/patch-src-support-suexec.c' X--- src/support/suexec.c.orig Wed Mar 5 18:50:29 2003 X+++ src/support/suexec.c Fri Jul 18 18:09:56 2003 X@@ -90,6 +90,9 @@ X #include <sys/types.h> X X #include <stdarg.h> X+#ifdef LOGIN_CAP X+#include <login_cap.h> X+#endif X X #include "suexec.h" X X@@ -322,6 +325,9 @@ X #ifdef LOG_EXEC X fprintf(stderr, " -D LOG_EXEC=\"%s\"\n", LOG_EXEC); X #endif X+#ifdef LOGIN_CAP X+ fprintf(stderr, " -D LOGIN_CAP\n"); X+#endif X #ifdef SAFE_PATH X fprintf(stderr, " -D SAFE_PATH=\"%s\"\n", SAFE_PATH); X #endif X@@ -480,7 +486,28 @@ X X /* X * Change UID/GID here so that the following tests work over NFS. X- * X+ */ X+ X+#ifdef LOGIN_CAP X+ /* X+ * Set user context (resources, priority and grouplist). X+ * If unsuccessful, error out. X+ */ X+ if (setusercontext(NULL, pw, uid, LOGIN_SETRESOURCES | LOGIN_SETPRIORITY | X+ LOGIN_SETGROUP | LOGIN_SETLOGIN) == -1) { X+ log_err("emerg: failed to set user context (%ld: %s)\n", uid, cmd); X+ exit(108); X+ } X+ X+ /* X+ * Set gid to the target group. If unsuccessful, error out. X+ */ X+ if ((setgid(gid)) != 0) { X+ log_err("emerg: failed to setgid (%ld: %s)\n", gid, cmd); X+ exit(109); X+ } X+#else /* !LOGIN_CAP */ X+ /* X * Initialize the group access list for the target user, X * and setgid() to the target group. If unsuccessful, error out. X */ X@@ -488,6 +515,7 @@ X log_err("emerg: failed to setgid (%ld: %s)\n", gid, cmd); X exit(109); X } X+#endif /* LOGIN_CAP */ X X /* X * setuid() to the target user. Error out on fail. END-of-suexec13/files/patch-src-support-suexec.c echo x - suexec13/distinfo sed 's/^X//' >suexec13/distinfo << 'END-of-suexec13/distinfo' XMD5 (apache_1.3.29.tar.gz) = e97fe9bf51dc2c9c233d53f63b1347e3 XSIZE (apache_1.3.29.tar.gz) = 2435809 END-of-suexec13/distinfo echo x - suexec13/pkg-descr sed 's/^X//' >suexec13/pkg-descr << 'END-of-suexec13/pkg-descr' XThe suEXEC feature -- introduced in Apache 1.2 -- provides Apache Xusers the ability to run CGI and SSI programs under user IDs different Xfrom the user ID of the calling web-server. Normally, when a CGI or XSSI program executes, it runs as the same user who is running the web Xserver. X XUsed properly, this feature can reduce considerably the security risks Xinvolved with allowing users to develop and run private CGI or SSI Xprograms. However, if suEXEC is improperly configured, it can cause Xany number of problems and possibly create new holes in your Xcomputer's security. If you aren't familiar with managing setuid root Xprograms and the security issues they present, we highly recommend Xthat you not consider using suEXEC. X XWWW: http://httpd.apache.org/ END-of-suexec13/pkg-descr echo x - suexec13/Makefile sed 's/^X//' >suexec13/Makefile << 'END-of-suexec13/Makefile' X# New ports collection makefile for: suexec X# Date created: Wed Apr 28 10:18:50 MSD 2004 X# Whom: dsh@vlink.ru X# X# $FreeBSD$ X# X XPORTNAME= suexec XPORTVERSION= 1.3.29 XCATEGORIES= www XMASTER_SITES= ${MASTER_SITE_APACHE_HTTPD} XDISTNAME= apache_${PORTVERSION} X XMAINTAINER= dsh@vlink.ru XCOMMENT= Provides Apache users the ability to run CGI and SSI programs under user IDs different from the user ID of the calling web-server X XUSE_PERL5= yes XHAS_CONFIGURE= yes X X.if defined(WITHOUT_APACHE_EXPAT) && ${WITHOUT_APACHE_EXPAT} == yes XCONFIGURE_ARGS+= --disable-rule=EXPAT X.else X.if !defined(WITH_APACHE_INTERNAL_EXPAT) || ${WITH_APACHE_INTERNAL_EXPAT} != yes XLIB_DEPENDS+= expat.4:${PORTSDIR}/textproc/expat2 X.endif XCONFIGURE_ARGS+= --enable-rule=EXPAT X.endif X XDATADIR=${PREFIX}/www XDOCUMENT_ROOT=${DATADIR}/data XDEFAULT_PATH=/bin:/usr/bin:${PREFIX}/bin X XAPACHE_SUEXEC_DOCROOT?=${DOCUMENT_ROOT} XAPACHE_SUEXEC_LOG?=/var/log/httpd-suexec.log XAPACHE_SUEXEC_USERDIR?=public_html XAPACHE_SUEXEC_UIDMIN?=1000 XAPACHE_SUEXEC_GIDMIN?=1000 XAPACHE_SUEXEC_CALLER?=www X XCONFIGURE_ARGS+= --with-perl=${PERL} \ X --with-layout=FreeBSD \ X --without-confadjust \ X --enable-suexec \ X --suexec-docroot=${APACHE_SUEXEC_DOCROOT} \ X --suexec-caller=${APACHE_SUEXEC_CALLER} \ X --suexec-uidmin=${APACHE_SUEXEC_UIDMIN} \ X --suexec-gidmin=${APACHE_SUEXEC_GIDMIN} \ X --suexec-logfile=${APACHE_SUEXEC_LOG} \ X --suexec-userdir=${APACHE_SUEXEC_USERDIR} \ X --suexec-safepath=${DEFAULT_PATH} \ X ${EXPAT_CONF} X X.if defined(APACHE_SUEXEC_UMASK) XCONFIGURE_ARGS+= --suexec-umask=${APACHE_SUEXEC_UMASK} X.endif X XCFLAGS+=-DDOCUMENT_LOCATION=\\\\\"${DOCUMENT_ROOT}\\\\\" \ X -DDEFAULT_PATH=\\\\\"${DEFAULT_PATH}\\\\\" X X# X# Set WITH_APACHE_PERF_TUNING env. variable to yes to get maximum performance X# X.if defined(WITH_APACHE_PERF_TUNING) && ${WITH_APACHE_PERF_TUNING} == yes XCFLAGS+=-DBUFFERED_LOGS X# Don't use OPTIM below, it is inserted _before_ CFLAGS XCFLAGS+=-O6 -fomit-frame-pointer X.endif X XCONFIGURE_ENV= OPTIM='${OPTIM}' LD_SHLIB='${CC}' LIBS='${LIBS}' X X.if (!defined(WITHOUT_APACHE_EXPAT) || ${WITHOUT_APACHE_EXPAT} != yes) && \ X (!defined(WITH_APACHE_INTERNAL_EXPAT) || ${WITH_APACHE_INTERNAL_EXPAT} != yes) XCONFIGURE_ENV+= \ X INCLUDES=-I${LOCALBASE}/include \ X LDFLAGS=-L${LOCALBASE}/lib X.endif X XMAN8= suexec.8 XPLIST_FILES= sbin/suexec X Xdo-install: X ${INSTALL_PROGRAM} -m u=rwxs,go=x ${WRKSRC}/src/support/suexec \ X ${PREFIX}/sbin/ X ${INSTALL_MAN} ${WRKSRC}/src/support/suexec.8 ${MANPREFIX}/man/man8/ X X.include <bsd.port.mk> END-of-suexec13/Makefile exit >Fix: >Release-Note: >Audit-Trail: >Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200404280711.i3S7BYIw063880>