Browse Source

apache: revisit suEXEC setup

When adding suEXEC to the apache package, Alpine's package [1] served as
a template. Not enough attention was paid to the details.

Alpine uses a different layout. So for OpenWrt to use /var/www as
DocumentRoot does not make sense. /var is also volatile on OpenWrt. This
commit removes the configure argument. The default is htdocsdir.

This also does away with uidmin/gidmin 99. The default is 100, which is
fine.

Finally, the suexec binary is moved from /usr/sbin to
/usr/lib/apache2/suexec_dir. Upstream recommends installing suexec with
"4750" (see [2]) and the group set to the user's group. While that would
be possible, it would cause a few headaches on OpenWrt. The group would
need to be changed first in a post-install script and a call to chmod
would need to be made afterward, to make the binary SUID again.

It's easier to hide the SUID binary away from others in a directory.
This way we don't need to use chmod in the post-install script.

[1] https://github.com/alpinelinux/aports/tree/master/main/apache2
[2] https://httpd.apache.org/docs/2.4/suexec.html

Signed-off-by: Sebastian Kemper <sebastian_ml@gmx.net>
lilik-openwrt-22.03
Sebastian Kemper 5 years ago
parent
commit
07db6b4a39
1 changed files with 22 additions and 8 deletions
  1. +22
    -8
      net/apache/Makefile

+ 22
- 8
net/apache/Makefile View File

@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk
PKG_NAME:=apache PKG_NAME:=apache
PKG_VERSION:=2.4.43 PKG_VERSION:=2.4.43
PKG_RELEASE:=1
PKG_RELEASE:=2
PKG_SOURCE_NAME:=httpd PKG_SOURCE_NAME:=httpd
PKG_SOURCE:=$(PKG_SOURCE_NAME)-$(PKG_VERSION).tar.bz2 PKG_SOURCE:=$(PKG_SOURCE_NAME)-$(PKG_VERSION).tar.bz2
@ -246,12 +246,9 @@ endif
ifneq ($(CONFIG_PACKAGE_apache-mod-suexec)$(CONFIG_PACKAGE_apache-suexec),) ifneq ($(CONFIG_PACKAGE_apache-mod-suexec)$(CONFIG_PACKAGE_apache-suexec),)
CONFIGURE_ARGS+= \ CONFIGURE_ARGS+= \
--enable-suexec \ --enable-suexec \
--with-suexec-bin=/usr/sbin/suexec \
--with-suexec-bin=/usr/lib/apache2/suexec_dir/suexec \
--with-suexec-caller=apache \ --with-suexec-caller=apache \
--with-suexec-docroot=/var/www \
--with-suexec-logfile=/var/log/apache2/suexec.log \
--with-suexec-uidmin=99 \
--with-suexec-gidmin=99
--with-suexec-logfile=/var/log/apache2/suexec.log
else else
CONFIGURE_ARGS+= \ CONFIGURE_ARGS+= \
--disable-suexec --disable-suexec
@ -331,8 +328,9 @@ define Package/apache-icons/install
endef endef
define Package/apache-suexec/install define Package/apache-suexec/install
$(INSTALL_DIR) $(1)/usr/sbin
$(CP) $(PKG_INSTALL_DIR)/usr/sbin/suexec $(1)/usr/sbin
$(INSTALL_DIR) -m0750 $(1)/usr/lib/apache2/suexec_dir
$(INSTALL_SUID) $(PKG_INSTALL_DIR)/usr/sbin/suexec \
$(1)/usr/lib/apache2/suexec_dir
endef endef
define Package/apache-utils/install define Package/apache-utils/install
@ -342,6 +340,22 @@ define Package/apache-utils/install
$(1)/usr/sbin $(1)/usr/sbin
endef endef
# Directory "suexec_dir" is installed with '-m0750' above and contains
# SUID binary "suexec". Below post-install script changes the group of
# "suexec_dir" to apache, so user apache can access the folder (and the
# SUID binary). The script only changes the group if the directory is
# currently owned by "root:root".
define Package/apache-suexec/postinst
#!/bin/sh
if [ -z "$${IPKG_INSTROOT}" ]; then
dir="/usr/lib/apache2/suexec_dir"
if ! [ -L "$$dir" ] && [ -d "$$dir" ] && [ -O "$$dir" ] && [ -G "$$dir" ]; then
chown :apache "$$dir"
fi
fi
exit 0
endef
define Package/apache/Module define Package/apache/Module
define Package/apache-mod-$(1) define Package/apache-mod-$(1)
$(call Package/apache/Default) $(call Package/apache/Default)


Loading…
Cancel
Save