diff options
| author | Joe Orton <jorton@apache.org> | 2012-05-23 23:38:39 +0200 |
|---|---|---|
| committer | Joe Orton <jorton@apache.org> | 2012-05-23 23:38:39 +0200 |
| commit | beaee8f4e3a275badb8239bf798379e0a8ad5de0 (patch) | |
| tree | af9d06875cbd458486afdb8a67fc9320d8d026fd /modules/arch | |
| parent | * docs/manual/suexec.html.en: Update for syslog logging. (diff) | |
| download | apache2-beaee8f4e3a275badb8239bf798379e0a8ad5de0.tar.xz apache2-beaee8f4e3a275badb8239bf798379e0a8ad5de0.zip | |
suexec: Support use of setgid/setuid capability bits on Linux, a
weaker set of privileges than the full setuid/setgid root binary.
* configure.in: Add --enable-suexec-capabilites flag.
* Makefile.in: If configured, use setcap instead of chmod 7555 on
installed suexec binary.
* modules/arch/unix/mod_unixd.c (unixd_pre_config): Drop test for
setuid bit if capability bits are used.
* docs/manual/: Add docs.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1342065 13f79535-47bb-0310-9956-ffa450edef68
Diffstat (limited to 'modules/arch')
| -rw-r--r-- | modules/arch/unix/mod_unixd.c | 9 |
1 files changed, 8 insertions, 1 deletions
diff --git a/modules/arch/unix/mod_unixd.c b/modules/arch/unix/mod_unixd.c index f6e9500736..1baa278c3f 100644 --- a/modules/arch/unix/mod_unixd.c +++ b/modules/arch/unix/mod_unixd.c @@ -284,6 +284,13 @@ unixd_set_suexec(cmd_parms *cmd, void *dummy, int arg) return NULL; } +#ifdef AP_SUEXEC_CAPABILITIES +/* If suexec is using capabilities, don't test for the setuid bit. */ +#define SETUID_TEST(finfo) (1) +#else +#define SETUID_TEST(finfo) (finfo.protection & APR_USETID) +#endif + static int unixd_pre_config(apr_pool_t *pconf, apr_pool_t *plog, apr_pool_t *ptemp) @@ -300,7 +307,7 @@ unixd_pre_config(apr_pool_t *pconf, apr_pool_t *plog, ap_unixd_config.suexec_enabled = 0; if ((apr_stat(&wrapper, SUEXEC_BIN, APR_FINFO_NORM, ptemp)) == APR_SUCCESS) { - if ((wrapper.protection & APR_USETID) && wrapper.user == 0 + if (SETUID_TEST(wrapper) && wrapper.user == 0 && (access(SUEXEC_BIN, R_OK|X_OK) == 0)) { ap_unixd_config.suexec_enabled = 1; ap_unixd_config.suexec_disabled_reason = ""; |