From dbaad2fa44ef93089879d90e1a06342820a1374b Mon Sep 17 00:00:00 2001 From: Sebastian Kemper Date: Sat, 16 May 2020 14:24:03 +0200 Subject: [PATCH 1/2] apache: create log directory o= Hides away the contents of the log directory from others. Signed-off-by: Sebastian Kemper --- net/apache/files/apache2.init | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/net/apache/files/apache2.init b/net/apache/files/apache2.init index a0136c841..df2e2646e 100644 --- a/net/apache/files/apache2.init +++ b/net/apache/files/apache2.init @@ -11,7 +11,8 @@ restart() { } start() { - mkdir -p /var/log/apache2 /var/run/apache2 + mkdir -p -m 0750 /var/log/apache2 + mkdir -p /var/run/apache2 apachectl -k start } From 07db6b4a39b9b41e0c746ac84cf429af244f29ec Mon Sep 17 00:00:00 2001 From: Sebastian Kemper Date: Sat, 16 May 2020 14:30:39 +0200 Subject: [PATCH 2/2] apache: revisit suEXEC setup When adding suEXEC to the apache package, Alpine's package [1] served as a template. Not enough attention was paid to the details. Alpine uses a different layout. So for OpenWrt to use /var/www as DocumentRoot does not make sense. /var is also volatile on OpenWrt. This commit removes the configure argument. The default is htdocsdir. This also does away with uidmin/gidmin 99. The default is 100, which is fine. Finally, the suexec binary is moved from /usr/sbin to /usr/lib/apache2/suexec_dir. Upstream recommends installing suexec with "4750" (see [2]) and the group set to the user's group. While that would be possible, it would cause a few headaches on OpenWrt. The group would need to be changed first in a post-install script and a call to chmod would need to be made afterward, to make the binary SUID again. It's easier to hide the SUID binary away from others in a directory. This way we don't need to use chmod in the post-install script. [1] https://github.com/alpinelinux/aports/tree/master/main/apache2 [2] https://httpd.apache.org/docs/2.4/suexec.html Signed-off-by: Sebastian Kemper --- net/apache/Makefile | 30 ++++++++++++++++++++++-------- 1 file changed, 22 insertions(+), 8 deletions(-) diff --git a/net/apache/Makefile b/net/apache/Makefile index 4547002a9..8efcb77fa 100644 --- a/net/apache/Makefile +++ b/net/apache/Makefile @@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk PKG_NAME:=apache PKG_VERSION:=2.4.43 -PKG_RELEASE:=1 +PKG_RELEASE:=2 PKG_SOURCE_NAME:=httpd PKG_SOURCE:=$(PKG_SOURCE_NAME)-$(PKG_VERSION).tar.bz2 @@ -246,12 +246,9 @@ endif ifneq ($(CONFIG_PACKAGE_apache-mod-suexec)$(CONFIG_PACKAGE_apache-suexec),) CONFIGURE_ARGS+= \ --enable-suexec \ - --with-suexec-bin=/usr/sbin/suexec \ + --with-suexec-bin=/usr/lib/apache2/suexec_dir/suexec \ --with-suexec-caller=apache \ - --with-suexec-docroot=/var/www \ - --with-suexec-logfile=/var/log/apache2/suexec.log \ - --with-suexec-uidmin=99 \ - --with-suexec-gidmin=99 + --with-suexec-logfile=/var/log/apache2/suexec.log else CONFIGURE_ARGS+= \ --disable-suexec @@ -331,8 +328,9 @@ define Package/apache-icons/install endef define Package/apache-suexec/install - $(INSTALL_DIR) $(1)/usr/sbin - $(CP) $(PKG_INSTALL_DIR)/usr/sbin/suexec $(1)/usr/sbin + $(INSTALL_DIR) -m0750 $(1)/usr/lib/apache2/suexec_dir + $(INSTALL_SUID) $(PKG_INSTALL_DIR)/usr/sbin/suexec \ + $(1)/usr/lib/apache2/suexec_dir endef define Package/apache-utils/install @@ -342,6 +340,22 @@ define Package/apache-utils/install $(1)/usr/sbin endef +# Directory "suexec_dir" is installed with '-m0750' above and contains +# SUID binary "suexec". Below post-install script changes the group of +# "suexec_dir" to apache, so user apache can access the folder (and the +# SUID binary). The script only changes the group if the directory is +# currently owned by "root:root". +define Package/apache-suexec/postinst +#!/bin/sh +if [ -z "$${IPKG_INSTROOT}" ]; then + dir="/usr/lib/apache2/suexec_dir" + if ! [ -L "$$dir" ] && [ -d "$$dir" ] && [ -O "$$dir" ] && [ -G "$$dir" ]; then + chown :apache "$$dir" + fi +fi +exit 0 +endef + define Package/apache/Module define Package/apache-mod-$(1) $(call Package/apache/Default)