Apache 1.3.27 modssl phpsuexec patch
Starhost : N.Elsten
elsten at starhost.nl
Sun Apr 13 17:45:22 PDT 2003
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Dear reader,
I made a patch for suexec and php for the apache13-modssl port. Maybey
you can include the patch in the port.
Attached you will find the diff files. The patch called
"patch-Makefile" is a patch you as the port maintainer should apply on
the Makefile from the port. And the file "patch-phpsuexec" should be
included in the dir "files/"
I would like to hear from you if you will eb adding my patch :).
Sincerly,
N.P.G. Elsten
Starhost
___________________________________________________________
Duiker 70 Verkoop: sales at starhost.nl
1613 AH Grootebroek Storing: storing at starhost.nl
Tel.: +31 228 524472 Technische: helpdesk at starhost.nl
Fax.: +31 228 524468 Website: http://www.starhost.nl
___________________________________________________________
-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5i
iQA/AwUBPpn2ir9NzcDv91UqEQKhDwCdG6l3PkRufagVw2Y3jQUoFAkQEZIAn28C
pXGQirqFLQCoDp5q0Zp/zqVT
=K2rk
-----END PGP SIGNATURE-----
-------------- next part --------------
--- Makefile_echt Sun Apr 13 21:51:20 2003
+++ Makefile Sun Apr 13 23:55:35 2003
@@ -57,6 +57,10 @@
--suexec-logfile=/var/log/httpd-suexec.log \
--suexec-userdir=${APACHE_SUEXEC_USERDIR} \
--suexec-safepath=${DEFAULT_PATH}
+.if defined(WITH_APACHE_PHPSUEXEC)
+SUEXEC_CONF+=\
+ --enable-suexecphp
+.endif
.if defined(APACHE_SUEXEC_UMASK)
SUEXEC_CONF+=\
-------------- next part --------------
--- configure.orig Sun Apr 13 23:19:09 2003
+++ configure Sun Apr 13 23:29:13 2003
@@ -460,6 +460,7 @@
echo ""
echo "suEXEC options:"
echo " --enable-suexec enable the suEXEC feature"
+ echo " --enable-suexecphp enable suEXEC in combination with php"
echo " --suexec-caller=NAME set the suEXEC username of the allowed caller [$suexec_caller]"
echo " --suexec-docroot=DIR set the suEXEC root directory [PREFIX/share/htdocs]"
echo " --suexec-logfile=FILE set the suEXEC logfile [PREFIX/var/log/suexec_log]"
@@ -865,6 +866,9 @@
suexec )
suexec=1
;;
+ suexecphp )
+ phpsuexec=1
+ ;;
* )
echo "configure:Error: invalid option '$apc_option'" 1>&2
exit 1
@@ -1371,8 +1375,10 @@
echo "echo '-DRESOURCE_CONFIG_FILE=\"${sysconfdir_relative}srm.conf\"'" >>$src/apaci
echo "echo '-DSSL_CERTIFICATE_FILE=\"${sysconfdir_relative}ssl.crt/server.crt\"'" >>$src/apaci
echo "echo '-DEAPI_MM_CORE_PATH=\"${runtimedir_relative}${thetarget}.mm\"'" >>$src/apaci
+[ x"$phpsuexec" = "x1" ] && echo "echo '-DINCLUDEPHP'" >> $src/apaci
chmod a+x $src/apaci
CFLAGS="$CFLAGS \\\`\$(SRCDIR)/apaci\\\`"
+grep -l 'INCLUDEPHP' $src/support/suexec.h || echo "#define INCLUDEPHP" >> $src/support/suexec.h
##
## create $src/Configuration.apaci file
--- apache_1.3.27/src/modules/standard/mod_cgi.c Tue Jun 18 19:27:09 2002
+++ src/modules/standard/mod_cgi.c Mon Apr 14 00:31:02 2003
@@ -79,8 +79,23 @@
#include "util_script.h"
#include "http_conf_globals.h"
+#ifdef INCLUDEPHP
+#define PHP3HANDLER "/usr/local/bin/php3.cgi"
+#define PHP4HANDLER "/usr/local/bin/php4.cgi"
+#define PHP3 3
+#define PHP4 4
+#define PHP3TYPE "application/x-httpd-php3"
+#define PHP4TYPE "application/x-httpd-php"
+#endif
+
module MODULE_VAR_EXPORT cgi_module;
+#ifdef INCLUDEPHP
+void addversion(server_rec *s) {
+ ap_add_version_component("PHP-CGI/0.1b");
+}
+#endif
+
/* KLUDGE --- for back-combatibility, we don't have to check ExecCGI
* in ScriptAliased directories, which means we need to know if this
* request came through ScriptAlias or not... so the Alias module
@@ -294,6 +309,10 @@
int nph;
int debug;
char *argv0;
+#ifdef INCLUDEPHP
+ char *phphandler;
+ int phptype;
+#endif
};
static int cgi_child(void *child_stuff, child_info *pinfo)
@@ -313,7 +332,14 @@
int i;
#endif
- char **env;
+
+char **env;
+
+#ifdef INCLUDEPHP
+ if (cld->phptype)
+ if (cld->phphandler)
+ ap_table_setn(r->subprocess_env, "PHPHANDLER", cld->phphandler);
+#endif
RAISE_SIGSTOP(CGI_CHILD);
#ifdef DEBUG_CGI
@@ -387,6 +413,25 @@
return DECLINED;
}
+/* do php stuff */
+#ifdef INCLUDEPHP
+ if (r->handler) {
+ if (!strcmp(r->handler, PHP4TYPE)) {
+ cld.phptype = PHP4;
+ cld.phphandler = PHP4HANDLER;
+ } else {
+ if (!strcmp(r->handler, PHP3TYPE)) {
+ cld.phptype = PHP3;
+ cld.phphandler = PHP3HANDLER;
+ } else {
+ cld.phptype = 0;
+ }
+ }
+ } else {
+ cld.phptype = 0;
+ }
+#endif
+
if ((argv0 = strrchr(r->filename, '/')) != NULL)
argv0++;
else
@@ -425,10 +470,13 @@
return log_scripterror(r, conf, FORBIDDEN, APLOG_NOERRNO,
"attempt to invoke directory as script");
if (!ap_suexec_enabled) {
- if (!ap_can_exec(&r->finfo))
- return log_scripterror(r, conf, FORBIDDEN, APLOG_NOERRNO,
- "file permissions deny server execution");
- }
+ #ifdef INCLUDEPHP
+ if (!cld.phptype)
+ #endif
+ if (!ap_can_exec(&r->finfo))
+ return log_scripterror(r, conf, FORBIDDEN, APLOG_NOERRNO,
+ "file permissions deny server execution");
+ }
if ((retval = ap_setup_client_block(r, REQUEST_CHUNKED_ERROR)))
return retval;
@@ -603,13 +651,21 @@
{
{CGI_MAGIC_TYPE, cgi_handler},
{"cgi-script", cgi_handler},
+#ifdef INCLUDEPHP
+ {PHP3TYPE, cgi_handler},
+ {PHP4TYPE, cgi_handler},
+#endif
{NULL}
};
module MODULE_VAR_EXPORT cgi_module =
{
STANDARD_MODULE_STUFF,
- NULL, /* initializer */
+#ifndef INCLUDEPHP
+ NULL, /* initializer */
+#else
+ addversion,
+#endif
NULL, /* dir config creater */
NULL, /* dir merger --- default is to override */
create_cgi_config, /* server config */
--- /root/suexec.c Mon Apr 14 02:08:07 2003
+++ src/support/suexec_php.c Mon Apr 14 02:12:11 2003
@@ -273,8 +273,29 @@
struct group *gr; /* group entry holder */
struct stat dir_info; /* directory info holder */
struct stat prg_info; /* program info holder */
+#ifdef INCLUDEPHP
+ int usephp;
+ char *phphandler;
+ struct stat phpfinfo;
+ char *newargv[4];
+#endif
prog = argv[0];
+
+#ifdef INCLUDEPHP
+ /* check if it's a php file */
+ phphandler = getenv("PHPHANDLER");
+ if (phphandler) {
+ if ((stat(phphandler, &phpfinfo)) == -1) {
+ log_err("Unable to stat php handler %s: %s\n", strerror(errno));
+ exit(1);
+ }
+ usephp = 1;
+ } else {
+ usephp = 0;
+ }
+#endif
+
/*
* Check existence/validity of the UID of the user
* running this program. Error out if invalid.
@@ -381,9 +402,19 @@
/*
* Error out if the target username is invalid.
*/
- if ((pw = getpwnam(target_uname)) == NULL) {
- log_err("crit: invalid target user name: (%s)\n", target_uname);
- exit(105);
+ if (strspn(target_uname, "1234567890") != strlen(target_uname)) {
+ if ((pw = getpwnam(target_uname)) == NULL) {
+ log_err("crit: invalid target user name: (%s)\n", target_uname);
+ exit(105);
+ }
+ } else {
+ if ((pw = (struct passwd *) malloc(sizeof(struct passwd))) == NULL) {
+ log_err("crit: malloc failed\n");
+ exit(1);
+ }
+ pw->pw_uid = atoi(target_uname);
+ pw->pw_name = target_uname;
+ pw->pw_dir = "";
}
/*
@@ -565,6 +596,7 @@
* Error out if the target name/group is different from
* the name/group of the cwd or the program.
*/
+#ifndef HAVECGIDIR
if ((uid != dir_info.st_uid) ||
(gid != dir_info.st_gid) ||
(uid != prg_info.st_uid) ||
@@ -576,15 +608,43 @@
prg_info.st_uid, prg_info.st_gid);
exit(120);
}
+#else
+ if (strcmp(cwd, CGIDIR)) {
+ if ((uid != dir_info.st_uid) ||
+ (gid != dir_info.st_gid) ||
+ (uid != prg_info.st_uid) ||
+ (gid != prg_info.st_gid)) {
+ log_err("error: target uid/gid (%ld/%ld) mismatch "
+ "with directory %s (%ld/%ld) or program (%ld/%ld)\n",
+ uid, gid, cwd,
+ dir_info.st_uid, dir_info.st_gid,
+ prg_info.st_uid, prg_info.st_gid);
+ exit(120);
+ }
+ } else {
+ /* Check if the owner of the CGI directory is the right one */
+ if ((dir_info.st_uid != CGIDIRUID) || (dir_info.st_gid != CGIDIRGID)) {
+ log_err("error: target uid/gid (%ld/%ld) mismatch "
+ "with cgi-bin directory %s (%ld/%ld)\n",
+ uid, gid, cwd,
+ dir_info.st_uid, dir_info.st_gid);
+ exit(120);
+ }
+ } // else
+ /* If the if failed, we have entered the default CGI dir */
+#endif
/*
* Error out if the program is not executable for the user.
* Otherwise, she won't find any error in the logs except for
* "[error] Premature end of script headers: ..."
*/
- if (!(prg_info.st_mode & S_IXUSR)) {
- log_err("error: file has no execute permission: (%s/%s)\n", cwd, cmd);
- exit(121);
- }
+#ifdef INCLUDEPHP
+ if (!usephp)
+#endif
+ if (!(prg_info.st_mode & S_IXUSR)) {
+ log_err("error: file has no execute permission: (%s/%s)\n", cwd, cmd);
+ exit(121);
+ }
#ifdef SUEXEC_UMASK
/*
@@ -612,6 +672,14 @@
log = NULL;
}
+#ifdef INCLUDEPHP
+ if (usephp) {
+ newargv[0] = phphandler;
+ newargv[1] = cmd;
+ newargv[2] = NULL;
+ }
+#endif
+
/*
* Execute the command, replacing our image with its own.
*/
@@ -621,9 +689,18 @@
extern char **environ;
ap_execve(cmd, &argv[3], environ);
+#error "mekker"
}
#else /*NEED_HASHBANG_EMUL*/
- execv(cmd, &argv[3]);
+#ifdef INCLUDEPHP
+ if (!usephp) {
+#endif
+ execv(cmd, &argv[3]);
+#ifdef INCLUDEPHP
+ } else {
+ execv(newargv[0], newargv);
+ }
+#endif
#endif /*NEED_HASHBANG_EMUL*/
/*
More information about the freebsd-ports
mailing list