rse 98/05/08 00:50:22
Modified: src CHANGES
. INSTALL Makefile.tmpl README.configure configure
Log:
Cleanup the suEXEC support in APACI and make it more safe:
1. Add big fat hint in INSTALL about risks and to read the
htdocs/manual/suexec.html document before using the suexec-related
configure options.
2. Make sure the user has at least provided one --suexec-xxxx option
(specifies suEXEC parameters) in addition to --enable-suexec option.
If only --enable-suexec is given APACI stops with a hint to INSTALL
and htdocs/manual/suexec.html documents.
3. Provide two additional --suexec-xxxx options to make the suEXEC
configuration complete (especially for package maintainers who else
had to patch the source tree) by providing ways to configure minimal
UID/GID and safe PATH, too.
Revision Changes Path
1.834 +14 -0 apache-1.3/src/CHANGES
Index: CHANGES
===================================================================
RCS file: /export/home/cvs/apache-1.3/src/CHANGES,v
retrieving revision 1.833
retrieving revision 1.834
diff -u -r1.833 -r1.834
--- CHANGES 1998/05/07 15:24:41 1.833
+++ CHANGES 1998/05/08 07:50:19 1.834
@@ -1,5 +1,19 @@
Changes with Apache 1.3b7
+ *) Cleanup the suEXEC support in APACI and make it more safe:
+ 1. Add big fat hint in INSTALL about risks and to read the
+ htdocs/manual/suexec.html document before using the suexec-related
+ configure options.
+ 2. Make sure the user has at least provided one --suexec-xxxx option
+ (specifies suEXEC parameters) in addition to --enable-suexec option.
+ If only --enable-suexec is given APACI stops with a hint to INSTALL
+ and htdocs/manual/suexec.html documents.
+ 3. Provide two additional --suexec-xxxx options to make the suEXEC
+ configuration complete (especially for package maintainers who else
+ had to patch the source tree) by providing ways to configure minimal
+ UID/GID and safe PATH, too.
+ [Ralf S. Engelschall]
+
*) Cleanup of the `configure --shadow' process:
- make sure the configure script creates its temporary files in the
shadow tree to avoid conflicts with parallel configure runs
1.26 +25 -5 apache-1.3/INSTALL
Index: INSTALL
===================================================================
RCS file: /export/home/cvs/apache-1.3/INSTALL,v
retrieving revision 1.25
retrieving revision 1.26
diff -u -r1.25 -r1.26
--- INSTALL 1998/05/06 15:44:26 1.25
+++ INSTALL 1998/05/08 07:50:20 1.26
@@ -148,10 +148,13 @@
[--localstatedir=DIR] [--enable-suexec]
[--runtimedir=DIR] [--suexec-caller=UID]
[--logfiledir=DIR] [--suexec-userdir=DIR]
- [--proxycachedir=DIR]
- [--compat] [--with-perl=FILE]
- [--without-support]
+ [--proxycachedir=DIR] [--suexec-uidmin=UID]
+ [--compat] [--suexec-gidmin=GID]
+ [--suexec-safepath=PATH]
+ [--with-perl=FILE]
+ [--without-support]
+
Use the CC, OPTIM, CFLAGS, INCLUDES, LDFLAGS, LIBS, CFLAGS_SHLIB,
LDFLAGS_SHLIB, LDFLAGS_SHLIB_EXPORT and RANLIB environment variables to
override the corresponding default entries in the src/Configuration.tmpl
@@ -262,9 +265,26 @@
Use the --enable-suexec option to enable the suEXEC feature by building
and installing the "suexec" support program. Use --suexec-caller=UID to
- set the allowed caller user id and --suexec-userdir=DIR to set the user
- subdirectory for this feature.
+ set the allowed caller user id, the --suexec-userdir=DIR to set the user
+ subdirectory, the --suexec-uidmin=UID/--suexec-gidmin=GID to set the
+ minimal allowed UID/GID and --suexec-safepath=PATH to set the safe shell
+ PATH for the suEXEC feature. At least one --suexec-xxxxx option has
+ to be provided together with --enable-suexec option to let APACI accept
+ your request for using the suEXEC feature.
+
+ CAUTION: FOR DETAILS ABOUT THE SUEXEC FEATURE WE HIGHLY RECOMMEND YOU TO
+ FIRST READ THE DOCUMENT htdocs/manual/suexec.html BEFORE USING
+ THE ABOVE OPTIONS.
+ USING THE SUEXEC FEATURE PROPERLY CAN REDUCE CONSIDERABLY THE
+ SECURITY RISKS INVOLVED WITH ALLOWING USERS TO DEVELOP AND RUN
+ PRIVATE CGI OR SSI PROGRAMS. HOWEVER, IF SUEXEC IS IMPROPERLY
+ CONFIGURED, IT CAN CAUSE ANY NUMBER OF PROBLEMS AND POSSIBLY
+ CREATE NEW HOLES IN YOUR COMPUTER'S SECURITY. IF YOU AREN'T
+ FAMILIAR WITH MANAGING SETUID ROOT PROGRAMS AND THE SECURITY
+ ISSUES THEY PRESENT, WE HIGHLY RECOMMEND THAT YOU NOT CONSIDER
+ USING SUEXEC AND KEEP AWAY FROM THESE OPTIONS!
+
Use the --shadow option to let APACI create a shadow source tree of the
sources for building. This is useful when you want to build for different
platforms in parallel (usually through a NFS, AFS or DFS mounted
1.34 +13 -2 apache-1.3/Makefile.tmpl
Index: Makefile.tmpl
===================================================================
RCS file: /export/home/cvs/apache-1.3/Makefile.tmpl,v
retrieving revision 1.33
retrieving revision 1.34
diff -u -r1.33 -r1.34
--- Makefile.tmpl 1998/05/07 15:24:43 1.33
+++ Makefile.tmpl 1998/05/08 07:50:21 1.34
@@ -114,6 +114,9 @@
suexec = @suexec@
suexec_caller = @suexec_caller@
suexec_userdir = @suexec_userdir@
+suexec_uidmin = @suexec_uidmin@
+suexec_gidmin = @suexec_gidmin@
+suexec_safepath = @suexec_safepath@
# usage of src/support stuff
build-support = @build_support@
@@ -152,8 +155,16 @@
cd $(TOP)/$(SRC)/support; $(MAKE) $(MFLAGS) all; \
if [ ".$(suexec)" = .1 ]; then \
$(MAKE) $(MFLAGS) \
- EXTRA_CFLAGS='-DHTTPD_USER=\"$(suexec_caller)\" -DUSERDIR_SUFFIX=\"$(suexec_userdir)\"' \
- suexec; \
+ EXTRA_CFLAGS='\
+ -DHTTPD_USER=\"$(suexec_caller)\" \
+ -DUID_MIN=$(suexec_uidmin) \
+ -DGID_MIN=$(suexec_gidmin) \
+ -DUSERDIR_SUFFIX=\"$(suexec_userdir)\" \
+ -DLOG_EXEC=\"$(logfiledir)/suexec_log\" \
+ -DDOC_ROOT=\"$(datadir)/htdocs\" \
+ -DSAFE_PATH=\"$(suexec_safepath)\" \
+ ' \
+ suexec; \
fi; \
echo "<=== $(SRC)/support"
1.9 +3 -0 apache-1.3/README.configure
Index: README.configure
===================================================================
RCS file: /export/home/cvs/apache-1.3/README.configure,v
retrieving revision 1.8
retrieving revision 1.9
diff -u -r1.8 -r1.9
--- README.configure 1998/05/06 15:44:25 1.8
+++ README.configure 1998/05/08 07:50:21 1.9
@@ -95,6 +95,9 @@
--enable-suexec \
--suexec-caller=www \
--suexec-userdir=.www
+ --suexec-uidmin=1000 \
+ --suexec-gidmin=1000 \
+ --suexec-safepath="/bin:/usr/bin"
$ make
$ make install
1.24 +38 -0 apache-1.3/configure
Index: configure
===================================================================
RCS file: /export/home/cvs/apache-1.3/configure,v
retrieving revision 1.23
retrieving revision 1.24
diff -u -r1.23 -r1.24
--- configure 1998/05/07 15:24:43 1.23
+++ configure 1998/05/08 07:50:21 1.24
@@ -164,8 +164,12 @@
# suexec defaults
suexec=0
+suexec_ok=0
suexec_caller=www
suexec_userdir=public_html
+suexec_uidmin=100
+suexec_gidmin=100
+suexec_safepath="/usr/local/bin:/usr/bin:/bin"
# with support tools
support=1
@@ -347,6 +351,9 @@
echo " --enable-suexec enable the suEXEC feature"
echo " --suexec-caller=NAME set the suEXEC username of the allowed caller [$suexec_caller]"
echo " --suexec-userdir=DIR set the suEXEC user subdirectory [$suexec_userdir]"
+ echo " --suexec-uidmin=UID set the suEXEC minimal allowed UID [$suexec_uidmin]"
+ echo " --suexec-gidmin=GID set the suEXEC minimal allowed GID [$suexec_gidmin]"
+ echo " --suexec-safepath=PATH set the suEXEC safe PATH [$suexec_safepath]"
echo ""
exit 0
;;
@@ -631,10 +638,24 @@
;;
--suexec-caller=*)
suexec_caller="$apc_optarg"
+ suexec_ok=1
;;
--suexec-userdir=*)
suexec_userdir="$apc_optarg"
+ suexec_ok=1
;;
+ --suexec-uidmin=*)
+ suexec_uidmin="$apc_optarg"
+ suexec_ok=1
+ ;;
+ --suexec-gidmin=*)
+ suexec_gidmin="$apc_optarg"
+ suexec_ok=1
+ ;;
+ --suexec-safepath=*)
+ suexec_safepath="$apc_optarg"
+ suexec_ok=1
+ ;;
* )
echo "configure:Error: invalid option '$apc_option'" 1>&2
exit 1
@@ -648,6 +669,20 @@
fi
##
+## a few errors
+##
+if [ ".$suexec" = .1 ]; then
+ if [ ".$suexec_ok" = .0 ]; then
+ echo "configure:Error: You enabled the suEXEC feature via --enable-suexec but"
+ echo " without explicitly configuring it via at least one"
+ echo " --suexec-xxxxx option. Seems like you are still not"
+ echo " familiar with the suEXEC risks. Please read the INSTALL"
+ echo " and htdocs/manual/suexec.html documents first."
+ exit 1
+ fi
+fi
+
+##
## a few warnings
##
if [ ".$PERL" = .no-perl-on-this-system ]; then
@@ -780,6 +815,9 @@
-e "s%@suexec@%$suexec%g" \
-e "s%@suexec_caller@%$suexec_caller%g" \
-e "s%@suexec_userdir@%$suexec_userdir%g" \
+-e "s%@suexec_uidmin@%$suexec_uidmin%g" \
+-e "s%@suexec_gidmin@%$suexec_gidmin%g" \
+-e "s%@suexec_safepath@%$suexec_safepath%g" \
-e "s%@build_support@%$build_support%g" \
-e "s%@install_support@%$install_support%g" \
-e "s%@clean_support@%$clean_support%g" \
Modified: src CHANGES
. INSTALL Makefile.tmpl README.configure configure
Log:
Cleanup the suEXEC support in APACI and make it more safe:
1. Add big fat hint in INSTALL about risks and to read the
htdocs/manual/suexec.html document before using the suexec-related
configure options.
2. Make sure the user has at least provided one --suexec-xxxx option
(specifies suEXEC parameters) in addition to --enable-suexec option.
If only --enable-suexec is given APACI stops with a hint to INSTALL
and htdocs/manual/suexec.html documents.
3. Provide two additional --suexec-xxxx options to make the suEXEC
configuration complete (especially for package maintainers who else
had to patch the source tree) by providing ways to configure minimal
UID/GID and safe PATH, too.
Revision Changes Path
1.834 +14 -0 apache-1.3/src/CHANGES
Index: CHANGES
===================================================================
RCS file: /export/home/cvs/apache-1.3/src/CHANGES,v
retrieving revision 1.833
retrieving revision 1.834
diff -u -r1.833 -r1.834
--- CHANGES 1998/05/07 15:24:41 1.833
+++ CHANGES 1998/05/08 07:50:19 1.834
@@ -1,5 +1,19 @@
Changes with Apache 1.3b7
+ *) Cleanup the suEXEC support in APACI and make it more safe:
+ 1. Add big fat hint in INSTALL about risks and to read the
+ htdocs/manual/suexec.html document before using the suexec-related
+ configure options.
+ 2. Make sure the user has at least provided one --suexec-xxxx option
+ (specifies suEXEC parameters) in addition to --enable-suexec option.
+ If only --enable-suexec is given APACI stops with a hint to INSTALL
+ and htdocs/manual/suexec.html documents.
+ 3. Provide two additional --suexec-xxxx options to make the suEXEC
+ configuration complete (especially for package maintainers who else
+ had to patch the source tree) by providing ways to configure minimal
+ UID/GID and safe PATH, too.
+ [Ralf S. Engelschall]
+
*) Cleanup of the `configure --shadow' process:
- make sure the configure script creates its temporary files in the
shadow tree to avoid conflicts with parallel configure runs
1.26 +25 -5 apache-1.3/INSTALL
Index: INSTALL
===================================================================
RCS file: /export/home/cvs/apache-1.3/INSTALL,v
retrieving revision 1.25
retrieving revision 1.26
diff -u -r1.25 -r1.26
--- INSTALL 1998/05/06 15:44:26 1.25
+++ INSTALL 1998/05/08 07:50:20 1.26
@@ -148,10 +148,13 @@
[--localstatedir=DIR] [--enable-suexec]
[--runtimedir=DIR] [--suexec-caller=UID]
[--logfiledir=DIR] [--suexec-userdir=DIR]
- [--proxycachedir=DIR]
- [--compat] [--with-perl=FILE]
- [--without-support]
+ [--proxycachedir=DIR] [--suexec-uidmin=UID]
+ [--compat] [--suexec-gidmin=GID]
+ [--suexec-safepath=PATH]
+ [--with-perl=FILE]
+ [--without-support]
+
Use the CC, OPTIM, CFLAGS, INCLUDES, LDFLAGS, LIBS, CFLAGS_SHLIB,
LDFLAGS_SHLIB, LDFLAGS_SHLIB_EXPORT and RANLIB environment variables to
override the corresponding default entries in the src/Configuration.tmpl
@@ -262,9 +265,26 @@
Use the --enable-suexec option to enable the suEXEC feature by building
and installing the "suexec" support program. Use --suexec-caller=UID to
- set the allowed caller user id and --suexec-userdir=DIR to set the user
- subdirectory for this feature.
+ set the allowed caller user id, the --suexec-userdir=DIR to set the user
+ subdirectory, the --suexec-uidmin=UID/--suexec-gidmin=GID to set the
+ minimal allowed UID/GID and --suexec-safepath=PATH to set the safe shell
+ PATH for the suEXEC feature. At least one --suexec-xxxxx option has
+ to be provided together with --enable-suexec option to let APACI accept
+ your request for using the suEXEC feature.
+
+ CAUTION: FOR DETAILS ABOUT THE SUEXEC FEATURE WE HIGHLY RECOMMEND YOU TO
+ FIRST READ THE DOCUMENT htdocs/manual/suexec.html BEFORE USING
+ THE ABOVE OPTIONS.
+ USING THE SUEXEC FEATURE PROPERLY CAN REDUCE CONSIDERABLY THE
+ SECURITY RISKS INVOLVED WITH ALLOWING USERS TO DEVELOP AND RUN
+ PRIVATE CGI OR SSI PROGRAMS. HOWEVER, IF SUEXEC IS IMPROPERLY
+ CONFIGURED, IT CAN CAUSE ANY NUMBER OF PROBLEMS AND POSSIBLY
+ CREATE NEW HOLES IN YOUR COMPUTER'S SECURITY. IF YOU AREN'T
+ FAMILIAR WITH MANAGING SETUID ROOT PROGRAMS AND THE SECURITY
+ ISSUES THEY PRESENT, WE HIGHLY RECOMMEND THAT YOU NOT CONSIDER
+ USING SUEXEC AND KEEP AWAY FROM THESE OPTIONS!
+
Use the --shadow option to let APACI create a shadow source tree of the
sources for building. This is useful when you want to build for different
platforms in parallel (usually through a NFS, AFS or DFS mounted
1.34 +13 -2 apache-1.3/Makefile.tmpl
Index: Makefile.tmpl
===================================================================
RCS file: /export/home/cvs/apache-1.3/Makefile.tmpl,v
retrieving revision 1.33
retrieving revision 1.34
diff -u -r1.33 -r1.34
--- Makefile.tmpl 1998/05/07 15:24:43 1.33
+++ Makefile.tmpl 1998/05/08 07:50:21 1.34
@@ -114,6 +114,9 @@
suexec = @suexec@
suexec_caller = @suexec_caller@
suexec_userdir = @suexec_userdir@
+suexec_uidmin = @suexec_uidmin@
+suexec_gidmin = @suexec_gidmin@
+suexec_safepath = @suexec_safepath@
# usage of src/support stuff
build-support = @build_support@
@@ -152,8 +155,16 @@
cd $(TOP)/$(SRC)/support; $(MAKE) $(MFLAGS) all; \
if [ ".$(suexec)" = .1 ]; then \
$(MAKE) $(MFLAGS) \
- EXTRA_CFLAGS='-DHTTPD_USER=\"$(suexec_caller)\" -DUSERDIR_SUFFIX=\"$(suexec_userdir)\"' \
- suexec; \
+ EXTRA_CFLAGS='\
+ -DHTTPD_USER=\"$(suexec_caller)\" \
+ -DUID_MIN=$(suexec_uidmin) \
+ -DGID_MIN=$(suexec_gidmin) \
+ -DUSERDIR_SUFFIX=\"$(suexec_userdir)\" \
+ -DLOG_EXEC=\"$(logfiledir)/suexec_log\" \
+ -DDOC_ROOT=\"$(datadir)/htdocs\" \
+ -DSAFE_PATH=\"$(suexec_safepath)\" \
+ ' \
+ suexec; \
fi; \
echo "<=== $(SRC)/support"
1.9 +3 -0 apache-1.3/README.configure
Index: README.configure
===================================================================
RCS file: /export/home/cvs/apache-1.3/README.configure,v
retrieving revision 1.8
retrieving revision 1.9
diff -u -r1.8 -r1.9
--- README.configure 1998/05/06 15:44:25 1.8
+++ README.configure 1998/05/08 07:50:21 1.9
@@ -95,6 +95,9 @@
--enable-suexec \
--suexec-caller=www \
--suexec-userdir=.www
+ --suexec-uidmin=1000 \
+ --suexec-gidmin=1000 \
+ --suexec-safepath="/bin:/usr/bin"
$ make
$ make install
1.24 +38 -0 apache-1.3/configure
Index: configure
===================================================================
RCS file: /export/home/cvs/apache-1.3/configure,v
retrieving revision 1.23
retrieving revision 1.24
diff -u -r1.23 -r1.24
--- configure 1998/05/07 15:24:43 1.23
+++ configure 1998/05/08 07:50:21 1.24
@@ -164,8 +164,12 @@
# suexec defaults
suexec=0
+suexec_ok=0
suexec_caller=www
suexec_userdir=public_html
+suexec_uidmin=100
+suexec_gidmin=100
+suexec_safepath="/usr/local/bin:/usr/bin:/bin"
# with support tools
support=1
@@ -347,6 +351,9 @@
echo " --enable-suexec enable the suEXEC feature"
echo " --suexec-caller=NAME set the suEXEC username of the allowed caller [$suexec_caller]"
echo " --suexec-userdir=DIR set the suEXEC user subdirectory [$suexec_userdir]"
+ echo " --suexec-uidmin=UID set the suEXEC minimal allowed UID [$suexec_uidmin]"
+ echo " --suexec-gidmin=GID set the suEXEC minimal allowed GID [$suexec_gidmin]"
+ echo " --suexec-safepath=PATH set the suEXEC safe PATH [$suexec_safepath]"
echo ""
exit 0
;;
@@ -631,10 +638,24 @@
;;
--suexec-caller=*)
suexec_caller="$apc_optarg"
+ suexec_ok=1
;;
--suexec-userdir=*)
suexec_userdir="$apc_optarg"
+ suexec_ok=1
;;
+ --suexec-uidmin=*)
+ suexec_uidmin="$apc_optarg"
+ suexec_ok=1
+ ;;
+ --suexec-gidmin=*)
+ suexec_gidmin="$apc_optarg"
+ suexec_ok=1
+ ;;
+ --suexec-safepath=*)
+ suexec_safepath="$apc_optarg"
+ suexec_ok=1
+ ;;
* )
echo "configure:Error: invalid option '$apc_option'" 1>&2
exit 1
@@ -648,6 +669,20 @@
fi
##
+## a few errors
+##
+if [ ".$suexec" = .1 ]; then
+ if [ ".$suexec_ok" = .0 ]; then
+ echo "configure:Error: You enabled the suEXEC feature via --enable-suexec but"
+ echo " without explicitly configuring it via at least one"
+ echo " --suexec-xxxxx option. Seems like you are still not"
+ echo " familiar with the suEXEC risks. Please read the INSTALL"
+ echo " and htdocs/manual/suexec.html documents first."
+ exit 1
+ fi
+fi
+
+##
## a few warnings
##
if [ ".$PERL" = .no-perl-on-this-system ]; then
@@ -780,6 +815,9 @@
-e "s%@suexec@%$suexec%g" \
-e "s%@suexec_caller@%$suexec_caller%g" \
-e "s%@suexec_userdir@%$suexec_userdir%g" \
+-e "s%@suexec_uidmin@%$suexec_uidmin%g" \
+-e "s%@suexec_gidmin@%$suexec_gidmin%g" \
+-e "s%@suexec_safepath@%$suexec_safepath%g" \
-e "s%@build_support@%$build_support%g" \
-e "s%@install_support@%$install_support%g" \
-e "s%@clean_support@%$clean_support%g" \