ports/55952: [update] www/suphp: update to 0.3 and fix a security leak introduced with previous patch
Clement Laforet
sheepkiller at cultdeadsheep.org
Mon Aug 25 10:30:11 UTC 2003
>Number: 55952
>Category: ports
>Synopsis: [update] www/suphp: update to 0.3 and fix a security leak introduced with previous patch
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: freebsd-ports-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: maintainer-update
>Submitter-Id: current-users
>Arrival-Date: Mon Aug 25 03:30:08 PDT 2003
>Closed-Date:
>Last-Modified:
>Originator: Clement Laforet
>Release: FreeBSD 5.1-CURRENT i386
>Organization:
cotds.org
>Environment:
System: FreeBSD lucifer.cultdeadsheep.org 5.1-CURRENT FreeBSD 5.1-CURRENT #0: Sun Aug 24 15:37:26 CEST 2003 root at lucifer.cultdeadsheep.org:/usr/obj/usr/src/sys/LUCIFER i386
>Description:
- update to 0.3
- add a workaround to don't use getpwuid to performs check for apache user (since 4.x
doesn't support getpwuid_r).
- use %%DOCSDIR%%
removed files:
files/patch-Makefile
files/patch-config.h
files/patch-suphp.c
added files:
files/patch-src::apache::Makefile.in
files/patch-src::Makefile.in
Note to committers:
suphp is not present in CVSROOT-ports/modules
Can you add it please ? :)
>How-To-Repeat:
N/A.
>Fix:
--- suphp-0.3.diff begins here ---
Index: Makefile
===================================================================
RCS file: /WORK/ports/REPO/ports/www/suphp/Makefile,v
retrieving revision 1.3
diff -u -r1.3 Makefile
--- Makefile 17 Jul 2003 04:35:53 -0000 1.3
+++ Makefile 25 Aug 2003 10:12:41 -0000
@@ -6,86 +6,57 @@
#
PORTNAME= suphp
-PORTVERSION= 0.2.3
-PORTREVISION= 1
+PORTVERSION= 0.3
CATEGORIES= www
MASTER_SITES= http://www.suphp.org/download/
MAINTAINER= sheepkiller at cultdeadsheep.org
-COMMENT= suPHP is a combination which provides a wrapper for PHP
+COMMENT= A combination which provides a wrapper for PHP
BUILD_DEPENDS= ${LOCALBASE}/sbin/apxs:${PORTSDIR}/www/apache13
RUN_DEPENDS= ${LOCALBASE}/bin/php:${PORTSDIR}/www/php4-cgi
-USE_REINPLACE= yes
+HAS_CONFIGURE= yes
+USE_GMAKE= yes
+CONFLICTS= mod_php4-4*
-MAKE_ARGS+= APXS="${APXS}"
APXS?= ${LOCALBASE}/sbin/apxs
-WWW_USER?= www
-WWW_GROUP?= www
LOG_PATH?= /var/log
PHP_PATH?= ${LOCALBASE}/bin/php
+APACHE_USER?= www
-.include <bsd.port.pre.mk>
-
-.if exists(${LOCALBASE}/libexec/apache/libphp4.so)
-IGNORE="suPHP conflicts with mod_php4. It works only with php4-cgi"
+CONFIGURE_ARGS+= --with-php=${PHP_PATH} \
+ --with-logfile=${LOG_PATH}/suphp.log \
+ --with-apache-user=${APACHE_USER} \
+ --with-min-gid=80 \
+ --with-min-uid=80 \
+ --with-apxs=${APXS}
+
+## Available knobs:
+## WITHOUT_CHECKPATH: disable check if script resides in DOCUMENT_ROOT
+.if defined(WITHOUT_CHECKPATH)
+CONFIGURE_ARGS+= --disable-checkpath
.endif
-
-pre-configure:
- @${ECHO}
- @${ECHO} "*-------------------------------------------------------------*"
- @${ECHO} " Options :"
- @${ECHO} " - WWW_USER = Apache's User (default www)"
- @${ECHO} " - Define CHECK_PATH, to enable suExec-like path checking"
- @${ECHO} " (based on DocumentRoot directive)."
- @${ECHO} " - LOG_PATH=/path/to/your/logs. Default /var/log/."
- @${ECHO} " - PHP_PATH=/path/to/bin/php. Default ${LOCALBASE}/bin/php."
- @${ECHO} "*-------------------------------------------------------------*"
- @${ECHO}
-
-do-configure:
- @${ECHO} "Setting User to : ${WWW_USER}"
- @${REINPLACE_CMD} -e 's!OPT_APACHE_USER "wwwrun"!OPT_APACHE_USER "${WWW_USER}"!' \
- ${WRKSRC}/config.h
- @${ECHO} "Setting Group to : ${WWW_GROUP}"
- @${REINPLACE_CMD} -e 's!OPT_APACHE_GROUP "wwwrun"!OPT_APACHE_GROUP "${WWW_USER}"!' \
- ${WRKSRC}/config.h
- @${ECHO} "Setting checkpath. (if enabled)"
-.if !defined(CHECK_PATH)
- @${REINPLACE_CMD} -e 's!#define OPT_CHECKPATH!/*#define OPT_CHECKPATH*/!' \
- ${WRKSRC}/config.h
+## WITHOUT_CHECKUID: accept UIDs that are not listed in /etc/passwd
+.if defined(WITHOUT_CHECKUID)
+CONFIGURE_ARGS+= --disable-checkuid
.endif
- @${ECHO} "Setting logs path"
- @${REINPLACE_CMD} -e 's,OPT_LOGFILE "/opt/apache/var/logs/suphp_log",OPT_LOGFILE "${LOG_PATH}/suphp_log",' \
- ${WRKSRC}/config.h
- @${ECHO} "Setting php path"
- @${REINPLACE_CMD} -e 's,OPT_PATH_TO_PHP "/usr/bin/php",OPT_PATH_TO_PHP "${PHP_PATH}",' \
- ${WRKSRC}/config.h
- @${ECHO} "Setting suphp path in mod_suphp"
- @${REINPLACE_CMD} -e "s,/usr/sbin/suphp,${PREFIX}/sbin/suphp," ${WRKSRC}/apache/mod_suphp.c
+## WITHOUT_CHECKGID: accept GIDs that are not listed in /etc/group
+.if defined(WITHOUT_CHECKGID)
+CONFIGURE_ARGS+= --disable-checkgid
+.endif
+
+show-options:
+ @${EGREP} '^##' ${.CURDIR}/Makefile | ${SED} 's/##//'
-post-build:
- @(cd ${WRKSRC}/apache && ${APXS} -c mod_suphp.c)
+pre-everything::
+ @${MAKE} show-options
post-install:
- @(cd ${WRKSRC}/apache && ${APXS} -i -a -n suphp ${WRKSRC}/apache/mod_suphp.so)
.if !defined(NOPORTDOCS)
- @${MKDIR} ${DOCSDIR} ${DOCSDIR}/apache ${DOCSDIR}/de-doc ${DOCSDIR}/de-doc/apache
- ${INSTALL_DATA} ${WRKSRC}/README ${DOCSDIR}
- ${INSTALL_DATA} ${WRKSRC}/INSTALL ${DOCSDIR}
- ${INSTALL_DATA} ${WRKSRC}/LICENSE ${DOCSDIR}
- ${INSTALL_DATA} ${WRKSRC}/apache/CONFIG ${DOCSDIR}/apache
- ${INSTALL_DATA} ${WRKSRC}/apache/README ${DOCSDIR}/apache
- ${INSTALL_DATA} ${WRKSRC}/apache/INSTALL ${DOCSDIR}/apache
- ${INSTALL_DATA} ${WRKSRC}/apache/LICENSE ${DOCSDIR}/apache
- ${INSTALL_DATA} -d ${WRKSRC}/de-doc/ ${DOCSDIR}
- ${INSTALL_DATA} ${WRKSRC}/de-doc/README.de ${DOCSDIR}/de-doc/
- ${INSTALL_DATA} ${WRKSRC}/de-doc/INSTALL.de ${DOCSDIR}/de-doc/
- ${INSTALL_DATA} ${WRKSRC}/de-doc/apache/README.de ${DOCSDIR}/de-doc/apache
- ${INSTALL_DATA} ${WRKSRC}/de-doc/apache/INSTALL.de ${DOCSDIR}/de-doc/apache
- ${INSTALL_DATA} ${WRKSRC}/de-doc/apache/CONFIG.de ${DOCSDIR}/de-doc/apache
+ @${MKDIR} ${DOCSDIR}
+ @${CP} -Rfp ${WRKSRC}/doc/* ${DOCSDIR}
.endif
@${CAT} ${PKGMESSAGE}
-.include <bsd.port.post.mk>
+.include <bsd.port.mk>
Index: distinfo
===================================================================
RCS file: /WORK/ports/REPO/ports/www/suphp/distinfo,v
retrieving revision 1.2
diff -u -r1.2 distinfo
--- distinfo 30 Jun 2003 04:56:54 -0000 1.2
+++ distinfo 25 Aug 2003 10:12:41 -0000
@@ -1 +1 @@
-MD5 (suphp-0.2.3.tar.gz) = a540fa3ac0af43a46afc33cf8401ee89
+MD5 (suphp-0.3.tar.gz) = f80d54de6aff5db4ab76670f1c5b3c6d
Index: pkg-plist
===================================================================
RCS file: /WORK/ports/REPO/ports/www/suphp/pkg-plist,v
retrieving revision 1.1
diff -u -r1.1 pkg-plist
--- pkg-plist 25 Jun 2003 06:50:52 -0000 1.1
+++ pkg-plist 25 Aug 2003 10:12:41 -0000
@@ -2,19 +2,22 @@
libexec/apache/mod_suphp.so
@exec %D/sbin/apxs -e -a -n suphp %D/%f
@unexec echo "===> If you do not plan on reinstalling suphp, you must manually remove"; echo "===> references to it in httpd.conf."
-%%PORTDOCS%%share/doc/suphp/apache/CONFIG
-%%PORTDOCS%%share/doc/suphp/apache/README
-%%PORTDOCS%%share/doc/suphp/apache/INSTALL
-%%PORTDOCS%%share/doc/suphp/apache/LICENSE
-%%PORTDOCS%%share/doc/suphp/de-doc/apache/README.de
-%%PORTDOCS%%share/doc/suphp/de-doc/apache/INSTALL.de
-%%PORTDOCS%%share/doc/suphp/de-doc/apache/CONFIG.de
-%%PORTDOCS%%share/doc/suphp/de-doc/README.de
-%%PORTDOCS%%share/doc/suphp/de-doc/INSTALL.de
-%%PORTDOCS%%share/doc/suphp/README
-%%PORTDOCS%%share/doc/suphp/INSTALL
-%%PORTDOCS%%share/doc/suphp/LICENSE
-%%PORTDOCS%%@dirrm share/doc/suphp/de-doc/apache
-%%PORTDOCS%%@dirrm share/doc/suphp/de-doc
-%%PORTDOCS%%@dirrm share/doc/suphp/apache
-%%PORTDOCS%%@dirrm share/doc/suphp/
+%%PORTDOCS%%%%DOCSDIR%%/en/INSTALL
+%%PORTDOCS%%%%DOCSDIR%%/en/LICENSE
+%%PORTDOCS%%%%DOCSDIR%%/en/README
+%%PORTDOCS%%%%DOCSDIR%%/en/apache/CONFIG
+%%PORTDOCS%%%%DOCSDIR%%/en/apache/INSTALL
+%%PORTDOCS%%%%DOCSDIR%%/en/apache/LICENSE
+%%PORTDOCS%%%%DOCSDIR%%/en/apache/README
+%%PORTDOCS%%%%DOCSDIR%%/de/INSTALL
+%%PORTDOCS%%%%DOCSDIR%%/de/LICENSE
+%%PORTDOCS%%%%DOCSDIR%%/de/README
+%%PORTDOCS%%%%DOCSDIR%%/de/apache/CONFIG
+%%PORTDOCS%%%%DOCSDIR%%/de/apache/INSTALL
+%%PORTDOCS%%%%DOCSDIR%%/de/apache/LICENSE
+%%PORTDOCS%%%%DOCSDIR%%/de/apache/README
+%%PORTDOCS%%@dirrm %%DOCSDIR%%/de/apache
+%%PORTDOCS%%@dirrm %%DOCSDIR%%/en/apache
+%%PORTDOCS%%@dirrm %%DOCSDIR%%/de
+%%PORTDOCS%%@dirrm %%DOCSDIR%%/en
+%%PORTDOCS%%@dirrm %%DOCSDIR%%
Index: files/patch-Makefile
===================================================================
RCS file: files/patch-Makefile
diff -N files/patch-Makefile
--- files/patch-Makefile 25 Jun 2003 06:50:53 -0000 1.1
+++ /dev/null 1 Jan 1970 00:00:00 -0000
@@ -1,33 +0,0 @@
---- Makefile.orig Wed Oct 23 22:16:50 2002
-+++ Makefile Tue Nov 12 12:10:58 2002
-@@ -2,9 +2,9 @@
- ## Makefile for suPHP ##
- ##############################################
-
--SUPHP_INSTALL = /usr/sbin/suphp
-+SUPHP_INSTALL = $(PREFIX)/sbin/suphp
-
--CC = gcc
-+#CC = gcc
- CFLAGS = -c -Wall
- LD = gcc
- LDFLAGS = -o
-@@ -31,11 +31,7 @@
- touch suphp.h
-
- install: suphp
-- if [ $$UID = 0 ]; then \
-- cp suphp ${SUPHP_INSTALL}; \
-- else \
-- echo -e "You need to be root to install suPHP."; \
-- fi
-+ $(INSTALL) -o root -g wheel -m 4755 suphp ${SUPHP_INSTALL}
-
- clean:
- rm *.o
-@@ -43,3 +39,5 @@
-
- rmbackups:
- rm *~
-+
-+all: suphp
Index: files/patch-config.h
===================================================================
RCS file: files/patch-config.h
diff -N files/patch-config.h
--- files/patch-config.h 25 Jun 2003 06:50:53 -0000 1.1
+++ /dev/null 1 Jan 1970 00:00:00 -0000
@@ -1,9 +0,0 @@
---- config.h.orig Wed Oct 23 22:16:50 2002
-+++ config.h Wed Nov 13 16:30:35 2002
-@@ -24,5 +24,6 @@
- #define OPT_MIN_UID 100
- #define OPT_MIN_GID 100
- #define OPT_APACHE_USER "wwwrun"
-+#define OPT_APACHE_GROUP "wwwrun"
- #define OPT_PATH_TO_PHP "/usr/bin/php"
- #define OPT_LOGFILE "/opt/apache/var/logs/suphp_log"
Index: files/patch-src::Makefile.in
===================================================================
RCS file: files/patch-src::Makefile.in
diff -N files/patch-src::Makefile.in
--- /dev/null 1 Jan 1970 00:00:00 -0000
+++ files/patch-src::Makefile.in 25 Aug 2003 10:12:41 -0000
@@ -0,0 +1,10 @@
+--- src/Makefile.in.orig Mon Aug 25 11:50:48 2003
++++ src/Makefile.in Mon Aug 25 11:50:55 2003
+@@ -39,7 +39,6 @@
+ fi
+
+ install: suphp suphp.mod
+- $(INSTALL_PROGRAM) -d $(DESTDIR)$(sbindir)
+ $(INSTALL_PROGRAM) -m 4755 suphp $(DESTDIR)$(sbindir)/suphp
+ @$(MAKE) $(MAKEDEFS) -C apache install
+
Index: files/patch-src::apache::Makefile.in
===================================================================
RCS file: files/patch-src::apache::Makefile.in
diff -N files/patch-src::apache::Makefile.in
--- /dev/null 1 Jan 1970 00:00:00 -0000
+++ files/patch-src::apache::Makefile.in 25 Aug 2003 10:12:41 -0000
@@ -0,0 +1,13 @@
+--- src/apache/Makefile.in.orig Mon Aug 25 11:40:47 2003
++++ src/apache/Makefile.in Mon Aug 25 11:41:02 2003
+@@ -29,7 +29,9 @@
+ all: suphp.mod
+
+ suphp.mod: mod_suphp.c
+- $(APXS) -c $(DEFS) $(EXTRADEFS) $(INCLUDES) -Wc,"$(CFLAGS)" mod_suphp.c
++ @if [ ! -f mod_suphp.o ]; then \
++ $(APXS) -c $(DEFS) $(EXTRADEFS) $(INCLUDES) -Wc,"$(CFLAGS)" mod_suphp.c ;\
++ fi;
+
+ install: suphp.mod
+ $(APXS) -i -a mod_suphp.so
Index: files/patch-suphp.c
===================================================================
RCS file: files/patch-suphp.c
diff -N files/patch-suphp.c
--- files/patch-suphp.c 30 Jun 2003 04:56:55 -0000 1.2
+++ /dev/null 1 Jan 1970 00:00:00 -0000
@@ -1,34 +0,0 @@
---- suphp.c.orig Wed Dec 25 14:21:27 2002
-+++ suphp.c Sat Jun 28 12:02:12 2003
-@@ -68,6 +68,7 @@
- {
- // Check, if program has been started by Apache
- struct passwd *apacheuser;
-+ struct group *apachegroup;
- struct passwd *calluser;
- struct passwd *targetuser;
- struct group *targetgroup;
-@@ -76,6 +77,7 @@
- path_translated = getenv("SCRIPT_FILENAME");
-
- apacheuser = getpwnam(OPT_APACHE_USER);
-+ apachegroup = getgrnam(OPT_APACHE_GROUP);
- calluser = getpwuid(getuid());
-
- if (calluser->pw_uid!=apacheuser->pw_uid)
-@@ -105,13 +107,13 @@
-
- // Get gid and uid of the file and check it
- targetuser = getpwuid(file_get_uid(path_translated));
-- if (targetuser->pw_uid < OPT_MIN_UID)
-+ if (targetuser->pw_uid < OPT_MIN_UID && targetuser->pw_uid != apacheuser->pw_uid )
- {
- log_error ("UID of %s or its target (%d / %s) < %d", path_translated, targetuser->pw_uid, targetuser->pw_name, OPT_MIN_UID);
- error_exit(ERRCODE_LOW_UID);
- }
- targetgroup = getgrgid(file_get_gid(path_translated));
-- if (targetgroup->gr_gid < OPT_MIN_GID)
-+ if (targetgroup->gr_gid < OPT_MIN_GID && targetgroup->gr_gid != apachegroup->gr_gid )
- {
- log_error ("GID of %s or its target (%d / %s) < %d", path_translated, targetgroup->gr_gid, targetgroup->gr_name, OPT_MIN_GID);
- error_exit(ERRCODE_LOW_GID);
--- suphp-0.3.diff ends here ---
>Release-Note:
>Audit-Trail:
>Unformatted:
More information about the freebsd-ports-bugs
mailing list