Browse Source

Merge pull request #12181 from micmac1/apa-suid

apache: tighten log dir + suEXEC
lilik-openwrt-22.03
Rosen Penev 5 years ago
committed by GitHub
parent
commit
7235ec41c3
No known key found for this signature in database GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 24 additions and 9 deletions
  1. +22
    -8
      net/apache/Makefile
  2. +2
    -1
      net/apache/files/apache2.init

+ 22
- 8
net/apache/Makefile View File

@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk
PKG_NAME:=apache
PKG_VERSION:=2.4.43
PKG_RELEASE:=1
PKG_RELEASE:=2
PKG_SOURCE_NAME:=httpd
PKG_SOURCE:=$(PKG_SOURCE_NAME)-$(PKG_VERSION).tar.bz2
@ -246,12 +246,9 @@ endif
ifneq ($(CONFIG_PACKAGE_apache-mod-suexec)$(CONFIG_PACKAGE_apache-suexec),)
CONFIGURE_ARGS+= \
--enable-suexec \
--with-suexec-bin=/usr/sbin/suexec \
--with-suexec-bin=/usr/lib/apache2/suexec_dir/suexec \
--with-suexec-caller=apache \
--with-suexec-docroot=/var/www \
--with-suexec-logfile=/var/log/apache2/suexec.log \
--with-suexec-uidmin=99 \
--with-suexec-gidmin=99
--with-suexec-logfile=/var/log/apache2/suexec.log
else
CONFIGURE_ARGS+= \
--disable-suexec
@ -331,8 +328,9 @@ define Package/apache-icons/install
endef
define Package/apache-suexec/install
$(INSTALL_DIR) $(1)/usr/sbin
$(CP) $(PKG_INSTALL_DIR)/usr/sbin/suexec $(1)/usr/sbin
$(INSTALL_DIR) -m0750 $(1)/usr/lib/apache2/suexec_dir
$(INSTALL_SUID) $(PKG_INSTALL_DIR)/usr/sbin/suexec \
$(1)/usr/lib/apache2/suexec_dir
endef
define Package/apache-utils/install
@ -342,6 +340,22 @@ define Package/apache-utils/install
$(1)/usr/sbin
endef
# Directory "suexec_dir" is installed with '-m0750' above and contains
# SUID binary "suexec". Below post-install script changes the group of
# "suexec_dir" to apache, so user apache can access the folder (and the
# SUID binary). The script only changes the group if the directory is
# currently owned by "root:root".
define Package/apache-suexec/postinst
#!/bin/sh
if [ -z "$${IPKG_INSTROOT}" ]; then
dir="/usr/lib/apache2/suexec_dir"
if ! [ -L "$$dir" ] && [ -d "$$dir" ] && [ -O "$$dir" ] && [ -G "$$dir" ]; then
chown :apache "$$dir"
fi
fi
exit 0
endef
define Package/apache/Module
define Package/apache-mod-$(1)
$(call Package/apache/Default)


+ 2
- 1
net/apache/files/apache2.init View File

@ -11,7 +11,8 @@ restart() {
}
start() {
mkdir -p /var/log/apache2 /var/run/apache2
mkdir -p -m 0750 /var/log/apache2
mkdir -p /var/run/apache2
apachectl -k start
}


Loading…
Cancel
Save