1
#! /bin/sh /usr/share/dpatch/dpatch-run
2
## 202_suexec-custom.dpatch by Stefan Fritsch <sf@debian.org>
4
## All lines beginning with `## DP:' are a description of the patch.
5
## DP: the actual patch to make suexec-custom read a config file
8
--- a/support/suexec-custom.c
9
+++ b/support/suexec-custom.c
14
+#define SUEXEC_CONFIG_DIR "/etc/apache2/suexec/"
17
#include "ap_config.h"
19
#include <sys/types.h>
30
+static int read_line(char *buf, FILE *file) {
32
+ p = fgets(buf, AP_MAXPATH+1, file);
34
+ if (*p == '\0') return 1;
41
+ /* remove trailing space and slash */
42
+ while ( isspace(*p) && p >= buf )
44
+ while ( *p == '/' && p >= buf )
50
static void clean_env(void)
54
struct stat dir_info; /* directory info holder */
55
struct stat prg_info; /* program info holder */
56
int cwdh; /* handle to cwd */
57
+ char *suexec_docroot = NULL;
58
+ char *suexec_userdir_suffix = NULL;
59
+ char *filename = NULL;
63
* Start with a "clean" environment
65
|| (! strcmp(AP_HTTPD_USER, pw->pw_name)))
66
#endif /* _OSD_POSIX */
69
- fprintf(stderr, " -D AP_DOC_ROOT=\"%s\"\n", AP_DOC_ROOT);
71
+ fprintf(stderr, " -D SUEXEC_CONFIG_DIR=%s\n", SUEXEC_CONFIG_DIR);
73
fprintf(stderr, " -D AP_GID_MIN=%d\n", AP_GID_MIN);
76
- fprintf(stderr, " -D AP_HTTPD_USER=\"%s\"\n", AP_HTTPD_USER);
79
fprintf(stderr, " -D AP_LOG_EXEC=\"%s\"\n", AP_LOG_EXEC);
83
fprintf(stderr, " -D AP_UID_MIN=%d\n", AP_UID_MIN);
85
-#ifdef AP_USERDIR_SUFFIX
86
- fprintf(stderr, " -D AP_USERDIR_SUFFIX=\"%s\"\n", AP_USERDIR_SUFFIX);
92
target_gname = argv[2];
96
- * Check to see if the user running this program
97
- * is the user allowed to do so as defined in
98
- * suexec.h. If not the allowed user, error out.
101
- /* User name comparisons are case insensitive on BS2000/OSD */
102
- if (strcasecmp(AP_HTTPD_USER, pw->pw_name)) {
103
- log_err("user mismatch (%s instead of %s)\n", pw->pw_name, AP_HTTPD_USER);
106
-#else /*_OSD_POSIX*/
107
- if (strcmp(AP_HTTPD_USER, pw->pw_name)) {
108
- log_err("user mismatch (%s instead of %s)\n", pw->pw_name, AP_HTTPD_USER);
111
-#endif /*_OSD_POSIX*/
114
* Check for a leading '/' (absolute path) in the command to be executed,
119
+ * Check to see if the user running this program
120
+ * is the user allowed to do so as defined in
121
+ * SUEXEC_CONFIG_DIR/username
122
+ * If not, error out.
124
+ filename = malloc(AP_MAXPATH+1);
125
+ suexec_docroot = malloc(AP_MAXPATH+1);
126
+ suexec_userdir_suffix = malloc(AP_MAXPATH+1);
127
+ if (!filename || !suexec_docroot || !suexec_userdir_suffix) {
128
+ log_err("malloc failed\n");
132
+ strncpy(filename, SUEXEC_CONFIG_DIR, AP_MAXPATH);
133
+ strncat(filename, pw->pw_name, AP_MAXPATH);
134
+ filename[AP_MAXPATH] = '\0';
136
+ configfile = fopen(filename, "r");
138
+ log_err("User %s not allowed: Could not open config file %s\n", pw->pw_name, filename);
142
+ if (!read_line(suexec_docroot, configfile)) {
143
+ log_err("Could not read docroot from %s\n", filename);
147
+ if (!read_line(suexec_userdir_suffix, configfile)) {
148
+ log_err("Could not read userdir suffix from %s\n", filename);
152
+ fclose(configfile);
155
+ if ( !isalnum(*suexec_userdir_suffix) && suexec_userdir_suffix[0] != '.') {
156
+ log_err("userdir suffix disabled in %s\n", filename);
161
+ if (suexec_docroot[0] != '/') {
162
+ log_err("docroot disabled in %s\n", filename);
166
+ if (suexec_docroot[1] == '/' ||
167
+ suexec_docroot[1] == '.' ||
168
+ suexec_docroot[1] == '\0' )
170
+ log_err("invalid docroot %s in %s\n", suexec_docroot, filename);
176
* Error out if the target username is invalid.
178
if (strspn(target_uname, "1234567890") != strlen(target_uname)) {
182
if (((chdir(target_homedir)) != 0) ||
183
- ((chdir(AP_USERDIR_SUFFIX)) != 0) ||
184
+ ((chdir(suexec_userdir_suffix)) != 0) ||
185
((getcwd(dwd, AP_MAXPATH)) == NULL) ||
186
((fchdir(cwdh)) != 0)) {
187
log_err("cannot get docroot information (%s)\n", target_homedir);
188
@@ -516,10 +574,10 @@
192
- if (((chdir(AP_DOC_ROOT)) != 0) ||
193
+ if (((chdir(suexec_docroot)) != 0) ||
194
((getcwd(dwd, AP_MAXPATH)) == NULL) ||
195
((fchdir(cwdh)) != 0)) {
196
- log_err("cannot get docroot information (%s)\n", AP_DOC_ROOT);
197
+ log_err("cannot get docroot information (%s)\n", suexec_docroot);