
                        Debian bug report logs - #27234
       should be able to NOT run suexec in some directories or locations
                                       
   Package: apache; Reported by: Floody G <flood@evcom.net>; dated Tue,
   29 Sep 1998 21:48:01 GMT; Maintainer for apache is Johnie Ingram
   <johnie@debian.org>.
     _________________________________________________________________
   
Message received at submit@bugs.debian.org:

Received: (at submit) by bugs.debian.org; 29 Sep 1998 21:36:23 +0000
Received: (qmail 10315 invoked from network); 29 Sep 1998 21:36:23 -0000
Received: from zothommog.evcom.net (root@208.136.203.8)
  by debian.novare.net with SMTP; 29 Sep 1998 21:36:23 -0000
Received: from agony.evcom.net (flood@agony.evcom.net [208.136.203.10])
        by zothommog.evcom.net (8.8.8/8.8.8) with ESMTP id RAA23044
        for <submit@bugs.debian.org>; Tue, 29 Sep 1998 17:36:11 -0400
Received: from localhost (flood@localhost)
        by agony.evcom.net (8.8.8/8.8.8) with SMTP id RAA24740
        for <submit@bugs.debian.org>; Tue, 29 Sep 1998 17:36:17 -0400
Date: Tue, 29 Sep 1998 17:36:17 -0400 (EDT)
From: Floody G <flood@evcom.net>
To: submit@bugs.debian.org
Subject: should be able to NOT run suexec in some directories or locations
Message-ID: <Pine.LNX.3.96.980929172833.24722A-100000@agony.evcom.net>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII

Package: apache
Version: 1.3.2-1

Twouldn't it be nice if you didn't have to run suexec for every cgi ran by
virtualhost's or userdir configurations?  It's not only nice, it's a
necessity for myself ("global" cgi-bins, etc).

A patch follows which implements eggsactly this, it adds the NoSuExec
option.  To *disable* using suexec inside a <Directory> or <Location>,
simply: Options +NoSuExec

Note that for very obvious security reasons, this option CANNOT be used in
.htaccess files; period.  This option only enables/disables suexec if all
other suexec requirements are met (must be u+s root, etc).


-- TEAR HERE --
diff -r -u apache_1.3.2/src/include/http_core.h apache_1.3.2.new/src/include/ht
tp_core.h
--- apache_1.3.2/src/include/http_core.h        Wed Aug 26 16:01:21 1998
+++ apache_1.3.2.new/src/include/http_core.h    Tue Sep 29 15:16:21 1998
@@ -85,6 +85,8 @@
 #define OPT_MULTI 128
 #define OPT_ALL (OPT_INDEXES|OPT_INCLUDES|OPT_SYM_LINKS|OPT_EXECCGI)

+#define OPT_NOSUEXEC 256
+
 /* options for get_remote_host() */
 /* REMOTE_HOST returns the hostname, or NULL if the hostname
  * lookup fails.  It will force a DNS lookup according to the
@@ -165,7 +167,7 @@

 /* Per-directory configuration */

-typedef unsigned char allow_options_t;
+typedef unsigned int allow_options_t;
 typedef unsigned char overrides_t;

 typedef struct {
diff -r -u apache_1.3.2/src/main/http_core.c apache_1.3.2.new/src/main/http_cor
e.c
--- apache_1.3.2/src/main/http_core.c   Tue Sep 29 17:03:11 1998
+++ apache_1.3.2.new/src/main/http_core.c       Tue Sep 29 16:25:53 1998
@@ -1000,7 +1000,10 @@
        else if (!strcasecmp(w, "All")) {
            opt = OPT_ALL;
        }
-       else {
+       /* permit Options NoSuExec only inside <Directory> or <Location> */
+       else if (!strcasecmp(w, "NoSuExec") && (cmd->override & ACCESS_CONF)) {
+           opt = OPT_NOSUEXEC;
+       } else {
            return ap_pstrcat(cmd->pool, "Illegal option ", w, NULL);
        }

diff -r -u apache_1.3.2/src/main/util_script.c apache_1.3.2.new/src/main/util_s
cript.c
--- apache_1.3.2/src/main/util_script.c Mon Sep 14 12:10:22 1998
+++ apache_1.3.2.new/src/main/util_script.c     Mon Sep 28 18:11:45 1998
@@ -687,6 +687,8 @@
                             char **env, int shellcmd)
 {
     int pid = 0;
+    int use_suexec;
+
 #if defined(RLIMIT_CPU)  || defined(RLIMIT_NPROC) || \
     defined(RLIMIT_DATA) || defined(RLIMIT_VMEM) || defined (RLIMIT_AS)

@@ -1091,7 +1093,12 @@
        return (pid);
     }
 #else
-    if (ap_suexec_enabled
+    if (ap_allow_options(r) & OPT_NOSUEXEC)
+       use_suexec = 0;
+    else
+       use_suexec = ap_suexec_enabled;
+
+    if (use_suexec
        && ((r->server->server_uid != ap_user_id)
            || (r->server->server_gid != ap_group_id)
            || (!strncmp("/~", r->uri, 2)))) {
diff -r -u apache_1.3.2/src/modules/standard/mod_cgi.c apache_1.3.2.new/src/mod
ules/standard/mod_cgi.c
--- apache_1.3.2/src/modules/standard/mod_cgi.c Thu Sep  3 18:40:42 1998
+++ apache_1.3.2.new/src/modules/standard/mod_cgi.c     Mon Sep 28 18:18:00 199
8
@@ -358,6 +358,7 @@
     void *sconf = r->server->module_config;
     cgi_server_conf *conf =
     (cgi_server_conf *) ap_get_module_config(sconf, &cgi_module);
+    int suexec_explicit_off = 0;

     struct cgi_child_stuff cld;

@@ -382,6 +383,9 @@
        return log_scripterror(r, conf, FORBIDDEN, APLOG_NOERRNO,
                               "attempt to include NPH CGI script");

+    if (ap_allow_options(r) & OPT_NOSUEXEC)
+       suexec_explicit_off = 1;
+
 #if defined(OS2) || defined(WIN32)
     /* Allow for cgi files without the .EXE extension on them under OS/2 */
     if (r->finfo.st_mode == 0) {
@@ -402,7 +406,7 @@
     if (S_ISDIR(r->finfo.st_mode))
        return log_scripterror(r, conf, FORBIDDEN, APLOG_NOERRNO,
                               "attempt to invoke directory as script");
-    if (!ap_suexec_enabled) {
+    if (!ap_suexec_enabled || suexec_explicit_off) {
        if (!ap_can_exec(&r->finfo))
            return log_scripterror(r, conf, FORBIDDEN, APLOG_NOERRNO,
                                   "file permissions deny server execution");

     _________________________________________________________________
   
   Acknowledgement sent to Floody G <flood@evcom.net>:
   New bug report received and forwarded. Copy sent to Johnie Ingram
   <johnie@debian.org>. Full text available.
     _________________________________________________________________
   
   Report forwarded to debian-bugs-dist@lists.debian.org, Johnie Ingram
   <johnie@debian.org>:
   Bug#27234; Package apache. Full text available.
     _________________________________________________________________
   
   
    Ian Jackson / owner@bugs.debian.org, through the Debian bug database
    
   Last modified: 12:39:00 GMT Wed 07 Oct (timestamp page available).
