rpms/mod_suphp/EL-4 mod_suphp-0.6.3-userdir.patch, NONE, 1.1 .cvsignore, 1.2, 1.3 mod_suphp.spec, 1.5, 1.6 sources, 1.2, 1.3
Andreas Thienemann (ixs)
fedora-extras-commits at redhat.com
Mon Mar 31 19:17:45 UTC 2008
- Previous message (by thread): rpms/mod_suphp/EL-5 mod_suphp-0.6.3-userdir.patch,NONE,1.1
- Next message (by thread): rpms/kbibtex/devel kbibtex-0.2-desktop-file-type.patch, NONE, 1.1 .cvsignore, 1.5, 1.6 kbibtex.spec, 1.12, 1.13 sources, 1.5, 1.6
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
Author: ixs
Update of /cvs/pkgs/rpms/mod_suphp/EL-4
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv31994
Modified Files:
.cvsignore mod_suphp.spec sources
Added Files:
mod_suphp-0.6.3-userdir.patch
Log Message:
* Sun Mar 30 2008 Andreas Thienemann <andreas at bawue.net> - 0.6.3-1
- Updated to 0.6.3 fixing two security problems. #439687
mod_suphp-0.6.3-userdir.patch:
--- NEW FILE mod_suphp-0.6.3-userdir.patch ---
--- suphp-0.6.3/doc/suphp.conf-example.userdir 2005-11-26 20:29:02.000000000 +0100
+++ suphp-0.6.3/doc/suphp.conf-example 2008-03-31 02:08:13.000000000 +0200
@@ -38,6 +38,8 @@
; Minimum GID
min_gid=100
+; Use correct permissions for mod_userdir sites
+handle_userdir=true
[handlers]
;Handler for php-scripts
--- suphp-0.6.3/doc/CONFIG.userdir 2005-11-26 20:29:02.000000000 +0100
+++ suphp-0.6.3/doc/CONFIG 2008-03-31 02:08:13.000000000 +0200
@@ -95,6 +95,11 @@
Minimum GID allowed to execute scripts.
Defaults to compile-time value.
+handle_userdir:
+ Handle sites created by mod_userdir.
+ Scripts on userdir sites will be executed with the permissions
+ of the owner of the site. This option only affects force and paranoid mode.
+ This option is enabled by default.
3. Handlers
--- suphp-0.6.3/src/Configuration.cpp.userdir 2006-03-15 21:21:52.000000000 +0100
+++ suphp-0.6.3/src/Configuration.cpp 2008-03-31 02:08:13.000000000 +0200
@@ -112,6 +112,7 @@
#endif
this->umask = 0077;
this->chroot_path = "";
+ this->handle_userdir = true;
}
void suPHP::Configuration::readFromFile(File& file)
@@ -157,6 +158,8 @@
this->umask = Util::octalStrToInt(value);
else if (key == "chroot")
this->chroot_path = value;
+ else if (key == "handle_userdir")
+ this->handle_userdir = this->strToBool(value);
else
throw ParsingException("Unknown option \"" + key +
"\" in section [global]",
@@ -250,3 +253,7 @@
std::string suPHP::Configuration::getChrootPath() const {
return this->chroot_path;
}
+
+bool suPHP::Configuration::getHandleUserdir() const {
+ return this->handle_userdir;
+}
--- suphp-0.6.3/src/apache2/mod_suphp.c.userdir 2006-11-06 01:57:12.000000000 +0100
+++ suphp-0.6.3/src/apache2/mod_suphp.c 2008-03-31 02:08:13.000000000 +0200
@@ -656,6 +656,10 @@
}
}
+ /* for mod_userdir checking */
+ apr_table_setn(r->subprocess_env, "SUPHP_URI",
+ apr_pstrdup(r->pool, r->uri));
+
if (auth_user && auth_pass)
{
apr_table_setn(r->subprocess_env, "SUPHP_AUTH_USER", auth_user);
--- suphp-0.6.3/src/Configuration.hpp.userdir 2005-11-26 20:29:02.000000000 +0100
+++ suphp-0.6.3/src/Configuration.hpp 2008-03-31 02:08:13.000000000 +0200
@@ -57,7 +57,8 @@
int min_gid;
int umask;
std::string chroot_path;
-
+ bool handle_userdir;
+
/**
* Converts string to bool
*/
@@ -165,6 +166,12 @@
* Return chroot path
*/
std::string getChrootPath() const;
+
+ /**
+ * Return whether to correctly handle mod_userdir sites
+ */
+ bool getHandleUserdir() const;
+
};
};
--- suphp-0.6.3/src/Application.hpp.userdir 2008-03-29 23:58:58.000000000 +0100
+++ suphp-0.6.3/src/Application.hpp 2008-03-31 02:09:27.000000000 +0200
@@ -39,6 +39,7 @@
#include "SystemException.hpp"
#include "SoftException.hpp"
#include "SecurityException.hpp"
+#include "UserInfo.hpp"
namespace suPHP {
/**
@@ -116,6 +117,13 @@
const Configuration& config) const
throw (SoftException);
+ /**
+ * Checks if a given URL is a userdir
+ * associated user is assigned to the user parameter
+ */
+ bool checkUserDir(const std::string& url,
+ UserInfo& user) const;
+
public:
/**
* Constructer
--- suphp-0.6.3/src/apache/mod_suphp.c.userdir 2006-09-23 19:04:36.000000000 +0200
+++ suphp-0.6.3/src/apache/mod_suphp.c 2008-03-31 02:08:13.000000000 +0200
@@ -491,7 +491,10 @@
}
}
}
-
+
+ /* for mod_userdir checking */
+ apr_table_setn(r->subprocess_env, "SUPHP_URI", apr_pstrdup(p, r->uri));
+
if (auth_user && auth_pass) {
ap_table_setn(r->subprocess_env, "SUPHP_AUTH_USER", auth_user);
ap_table_setn(r->subprocess_env, "SUPHP_AUTH_PW", auth_pass);
--- suphp-0.6.3/src/Application.cpp.userdir 2008-03-30 13:43:38.000000000 +0200
+++ suphp-0.6.3/src/Application.cpp 2008-03-31 02:08:13.000000000 +0200
@@ -19,6 +19,7 @@
*/
#include <iostream>
+#include <sstream>
#include "config.h"
@@ -305,29 +306,33 @@
// Paranoid and force mode
#if (defined(OPT_USERGROUP_PARANOID) || defined(OPT_USERGROUP_FORCE))
- std::string targetUsername, targetGroupname;
- try {
- targetUsername = environment.getVar("SUPHP_USER");
- targetGroupname = environment.getVar("SUPHP_GROUP");
- } catch (KeyNotFoundException& e) {
- throw SecurityException(
+ if (config.getHandleUserdir() && checkUserDir(environment.getVar("SUPHP_URI"),targetUser)) {
+ targetGroup = targetUser.getGroupInfo();
+ } else {
+ std::string targetUsername, targetGroupname;
+ try {
+ targetUsername = environment.getVar("SUPHP_USER");
+ targetGroupname = environment.getVar("SUPHP_GROUP");
+ } catch (KeyNotFoundException& e) {
+ throw SecurityException(
"Environment variable SUPHP_USER or SUPHP_GROUP not set",
__FILE__, __LINE__);
- }
+ }
- if (targetUsername[0] == '#' && targetUsername.find_first_not_of(
+ if (targetUsername[0] == '#' && targetUsername.find_first_not_of(
"0123456789", 1) == std::string::npos) {
- targetUser = api.getUserInfo(Util::strToInt(targetUsername.substr(1)));
- } else {
- targetUser = api.getUserInfo(targetUsername);
- }
+ targetUser = api.getUserInfo(Util::strToInt(targetUsername.substr(1)));
+ } else {
+ targetUser = api.getUserInfo(targetUsername);
+ }
- if (targetGroupname[0] == '#' && targetGroupname.find_first_not_of(
+ if (targetGroupname[0] == '#' && targetGroupname.find_first_not_of(
"0123456789", 1) == std::string::npos) {
- targetGroup = api.getGroupInfo(
+ targetGroup = api.getGroupInfo(
Util::strToInt(targetGroupname.substr(1)));
- } else {
- targetGroup = api.getGroupInfo(targetGroupname);
+ } else {
+ targetGroup = api.getGroupInfo(targetGroupname);
+ }
}
#endif // OPT_USERGROUP_PARANOID || OPT_USERGROUP_FORCE
@@ -519,6 +524,28 @@
} while (directory.getPath() != "/");
}
+bool suPHP::Application::checkUserDir(const std::string& url, UserInfo& user) const {
+
+ if (url.length() <= 2 || url[1] != '~')
+ return false;
+
+ API& api = API_Helper::getSystemAPI();
+ std::string topDir;
+ std::istringstream strm(url);
+
+ for (int i = 0; i < 2; i++)
+ if (!std::getline(strm, topDir, '/'))
+ return false;
+
+ std::string userName = topDir.substr(1,topDir.length());
+
+ try {
+ user = api.getUserInfo(userName);
+ return true;
+ } catch (LookupException& e) {
+ return false;
+ }
+}
int main(int argc, char **argv) {
try {
Index: .cvsignore
===================================================================
RCS file: /cvs/pkgs/rpms/mod_suphp/EL-4/.cvsignore,v
retrieving revision 1.2
retrieving revision 1.3
diff -u -r1.2 -r1.3
--- .cvsignore 30 Jun 2005 20:21:49 -0000 1.2
+++ .cvsignore 31 Mar 2008 19:17:06 -0000 1.3
@@ -1 +1 @@
-suphp-0.5.2.tar.gz
+suphp-0.6.3.tar.gz
Index: mod_suphp.spec
===================================================================
RCS file: /cvs/pkgs/rpms/mod_suphp/EL-4/mod_suphp.spec,v
retrieving revision 1.5
retrieving revision 1.6
diff -u -r1.5 -r1.6
--- mod_suphp.spec 23 Aug 2005 15:13:11 -0000 1.5
+++ mod_suphp.spec 31 Mar 2008 19:17:06 -0000 1.6
@@ -1,23 +1,46 @@
-# Depending on what version of Fedora we're on, use a different php binary
-%if "%fedora" >= "4"
- %define php /usr/bin/php-cgi
+# Depending on what version of Fedora we're on, use a different php binary, different apr
+# and also different handler.
+%if 0%{?fedora}
+ %if "%{fedora}" >= "5"
+ %define php /usr/bin/php-cgi
+ %define handler php5-script
+ %define apr /usr/bin/apr-1-config
+ %endif
+ %if "%{fedora}" == "4"
+ %define php /usr/bin/php-cgi
+ %define handler x-httpd-php
+ %define apr /usr/bin/apr-config
+ %endif
+ %if "%{fedora}" <= "3"
+ %define php /usr/bin/php
+ %define handler x-httpd-php
+ %define apr /usr/bin/apr-config
+ %endif
%else
%define php /usr/bin/php
+ %define handler x-httpd-php
+ %define apr /usr/bin/apr-config
%endif
Summary: An apache2 module for executing PHP scripts with the permissions of their owners
Name: mod_suphp
-Version: 0.5.2
-Release: 8%{?dist}
+Version: 0.6.3
+Release: 1%{?dist}
License: GPL
Group: System Environment/Daemons
Source0: http://www.suphp.org/download/suphp-%{version}.tar.gz
Source1: suphp.conf
+Source2: mod_suphp.conf
+Source3: README.fedora
+Patch0: mod_suphp-0.6.3-userdir.patch
+Patch1: mod_suphp-0.6.1-AddHandler.patch
+Patch3: mod_suphp-0.6.1-chroot.patch
URL: http://www.suphp.org/
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
Requires: httpd >= 2.0, php
Requires: httpd-mmn = %([ -a %{_includedir}/httpd/.mmn ] && cat %{_includedir}/httpd/.mmn || echo missing)
-BuildRequires: httpd-devel >= 2.0
+BuildRequires: httpd-devel >= 2.0, apr-devel
+
%description
suPHP is an apache module for executing PHP scripts with the permissions of
@@ -25,18 +48,34 @@
binary (suphp) that is called by the Apache module to change the uid of the
process executing the PHP interpreter.
+Please take a look at %{_docdir}/%{name}-%{version}/README.fedora for
+installation instructions.
+
%prep
%setup -q -n suphp-%{version}
+%patch0 -p 1 -b .userdir
+%patch1 -p 1 -b .AddHandler
+%patch3 -p 1 -b .chroot
+
+
+# fill placeholders
+sed -e 's|###PHP-BIN###|%{php}|g; s|###HANDLER###|%{handler}|g;' %{SOURCE1} > suphp.conf
+sed -e 's|###HANDLER###|%{handler}|g;' %{SOURCE2} > mod_suphp.conf
+sed -e 's|###HANDLER###|%{handler}|g;' %{SOURCE3} > README.fedora
+
%build
+echo "Building mod_suphp with %{php} as PHP interpreter and %{apr} for the apr configuration script."
+echo "%{handler} is used as a AddHandler."
%configure \
+ --with-apr=%{apr} \
+ --with-apxs=/usr/sbin/apxs \
--with-apache-user=apache \
--with-min-uid=500 \
--with-min-gid=500 \
--with-php=%{php} \
--with-logfile=/var/log/httpd/suphp_log \
- --with-setid-mode=owner \
- --disable-checkpath
+ --with-setid-mode=owner
pushd src
make %{?_smp_mflags} suphp
@@ -47,26 +86,61 @@
mv .libs/mod_suphp.so .
popd
+
%install
-rm -rf $RPM_BUILD_ROOT
+rm -rf %{buildroot}
-%{__install} -c -m 4755 -D src/suphp $RPM_BUILD_ROOT%{_sbindir}/suphp
-%{__install} -m 755 -D src/apache2/mod_suphp.so $RPM_BUILD_ROOT%{_libdir}/httpd/modules/mod_suphp.so
+%{__install} -c -m 4755 -D src/suphp %{buildroot}%{_sbindir}/suphp
+%{__install} -m 755 -D src/apache2/mod_suphp.so %{buildroot}%{_libdir}/httpd/modules/mod_suphp.so
+
+# Install the config files
+%{__install} -m 644 -D suphp.conf %{buildroot}%{_sysconfdir}/suphp.conf
+%{__install} -m 644 -D mod_suphp.conf %{buildroot}%{_sysconfdir}/httpd/conf.d/mod_suphp.conf
+
+# Rename docs
+cp doc/CONFIG CONFIG.suphp
+cp doc/apache/CONFIG CONFIG.apache
-# Install the config file
-%{__install} -m 644 -D %{SOURCE1} $RPM_BUILD_ROOT%{_sysconfdir}/httpd/conf.d/suphp.conf
%clean
rm -rf $RPM_BUILD_ROOT
%files
%defattr(-,root,root)
-%doc README COPYING
-%{_sbindir}/suphp
+%doc README COPYING CONFIG.suphp CONFIG.apache README.fedora
+%attr (4550, root, apache) %{_sbindir}/suphp
%{_libdir}/httpd/modules/*.so
-%config(noreplace) %{_sysconfdir}/httpd/conf.d/*.conf
+%config(noreplace) %{_sysconfdir}/suphp.conf
+%config(noreplace) %{_sysconfdir}/httpd/conf.d/mod_suphp.conf
+
%changelog
+* Sun Mar 30 2008 Andreas Thienemann <andreas at bawue.net> - 0.6.3-1
+- Updated to 0.6.3 fixing two security problems. #439687
+
+* Tue Feb 19 2008 Fedora Release Engineering <rel-eng at fedoraproject.org> - 0.6.2-2
+- Autorebuild for GCC 4.3
+
+* Sat Mar 10 2007 Andreas Thienemann <andreas at bawue.net> - 0.6.2-1
+- Updated to 0.6.2
+- Reverted our double free patch. Upstream fixed their SmartPointer
+ implementation.
+- Reverted our apr Patch, upstream is working correctly with Apache 2.2 now
+
+* Fri Nov 10 2006 Andreas Thienemann <andreas at bawue.net> - 0.6.1-4
+- Fix double free corruption. For real this time. :-/
+
+* Fri Sep 08 2006 Andreas Thienemann <andreas at bawue.net> - 0.6.1-3
+- Finally fixed double free corruption #192415
+- Fixed up configuration creation
+
+* Wed May 24 2006 Andreas Thienemann <andreas at bawue.net> - 0.6.1-2
+- Corrected handler for mod_suphp.conf
+- Minor cleanups and fixes
+
+* Mon Feb 06 2006 Andreas Thienemann <andreas at bawue.net> 0.6.1-1
+- Updated to 0.6.1
+
* Tue Jul 09 2005 Andreas Thienemann <andreas at bawue.net> 0.5.2-8
- Added a dependency on a specific httpd-mmn
Index: sources
===================================================================
RCS file: /cvs/pkgs/rpms/mod_suphp/EL-4/sources,v
retrieving revision 1.2
retrieving revision 1.3
diff -u -r1.2 -r1.3
--- sources 30 Jun 2005 20:21:49 -0000 1.2
+++ sources 31 Mar 2008 19:17:06 -0000 1.3
@@ -1 +1 @@
-337909e87027af124052baddddbd2994 suphp-0.5.2.tar.gz
+756e8893857fefed087a89959a87645a suphp-0.6.3.tar.gz
- Previous message (by thread): rpms/mod_suphp/EL-5 mod_suphp-0.6.3-userdir.patch,NONE,1.1
- Next message (by thread): rpms/kbibtex/devel kbibtex-0.2-desktop-file-type.patch, NONE, 1.1 .cvsignore, 1.5, 1.6 kbibtex.spec, 1.12, 1.13 sources, 1.5, 1.6
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
More information about the fedora-extras-commits
mailing list