Accepting request 556377 from Apache:Modules
- Fix NSS database startup permission check (bsc#1057776) * add 0001-Handle-group-membership-when-testing-for-file-permis.patch (forwarded request 556094 from vitezslav_cizek) OBS-URL: https://build.opensuse.org/request/show/556377 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/apache2-mod_nss?expand=0&rev=26
This commit is contained in:
commit
4e22f5802b
121
0001-Handle-group-membership-when-testing-for-file-permis.patch
Normal file
121
0001-Handle-group-membership-when-testing-for-file-permis.patch
Normal file
@ -0,0 +1,121 @@
|
||||
From 665a696088324176b7902d6338171078e6d37318 Mon Sep 17 00:00:00 2001
|
||||
From: Rob Crittenden <rcritten@redhat.com>
|
||||
Date: Thu, 23 Feb 2017 13:06:21 -0500
|
||||
Subject: [PATCH] Handle group membership when testing for file permissions
|
||||
|
||||
This was a bit of a corner case but group membership wasn't
|
||||
considered when trying to determine if the NSS databases are
|
||||
readable.
|
||||
|
||||
Resolves BZ 1395300
|
||||
---
|
||||
nss_engine_init.c | 45 +++++++++++++++++++++++++++++++++------------
|
||||
1 file changed, 33 insertions(+), 12 deletions(-)
|
||||
|
||||
Index: mod_nss-1.0.14/nss_engine_init.c
|
||||
===================================================================
|
||||
--- mod_nss-1.0.14.orig/nss_engine_init.c 2017-12-11 21:44:07.051660014 +0100
|
||||
+++ mod_nss-1.0.14/nss_engine_init.c 2017-12-11 21:47:22.698850519 +0100
|
||||
@@ -29,6 +29,7 @@
|
||||
#include "cert.h"
|
||||
#include <sys/types.h>
|
||||
#include <pwd.h>
|
||||
+#include <grp.h>
|
||||
|
||||
static SECStatus ownBadCertHandler(void *arg, PRFileDesc * socket);
|
||||
static SECStatus ownHandshakeCallback(PRFileDesc * socket, void *arg);
|
||||
@@ -57,22 +58,38 @@ static char *version_components[] = {
|
||||
* Return 0 on failure or file doesn't exist
|
||||
* Return 1 on success
|
||||
*/
|
||||
-static int check_path(uid_t uid, gid_t gid, char *filepath, apr_pool_t *p)
|
||||
+static int check_path(const char *user, uid_t uid, gid_t gid, char *filepath,
|
||||
+ apr_pool_t *p)
|
||||
{
|
||||
apr_finfo_t finfo;
|
||||
- int rv;
|
||||
+ PRBool in_group = PR_FALSE;
|
||||
+ struct group *gr;
|
||||
+ int i = 0;
|
||||
+
|
||||
+ if ((apr_stat(&finfo, filepath, APR_FINFO_PROT | APR_FINFO_OWNER, p))
|
||||
+ == APR_SUCCESS) {
|
||||
+ if ((gr = getgrgid(finfo.group)) == NULL) {
|
||||
+ return 0;
|
||||
+ }
|
||||
|
||||
- if ((rv = apr_stat(&finfo, filepath, APR_FINFO_PROT | APR_FINFO_OWNER,
|
||||
- p)) == APR_SUCCESS) {
|
||||
+ if (gid == finfo.group) {
|
||||
+ in_group = PR_TRUE;
|
||||
+ } else {
|
||||
+ while ((gr->gr_mem != NULL) && (gr->gr_mem[i] != NULL)) {
|
||||
+ if (!strcasecmp(user, gr->gr_mem[i++])) {
|
||||
+ in_group = PR_TRUE;
|
||||
+ break;
|
||||
+ }
|
||||
+ }
|
||||
+ }
|
||||
if (((uid == finfo.user) &&
|
||||
((finfo.protection & APR_FPROT_UREAD))) ||
|
||||
- ((gid == finfo.group) &&
|
||||
- ((finfo.protection & APR_FPROT_GREAD)))
|
||||
+ (in_group && (finfo.protection & APR_FPROT_GREAD)) ||
|
||||
+ (finfo.protection & APR_FPROT_WREAD)
|
||||
)
|
||||
{
|
||||
return 1;
|
||||
}
|
||||
- return 0;
|
||||
}
|
||||
return 0;
|
||||
}
|
||||
@@ -175,7 +192,8 @@ static void nss_init_SSLLibrary(server_r
|
||||
if (strncasecmp(mc->pCertificateDatabase, "sql:", 4) == 0) {
|
||||
apr_snprintf(filepath, 1024, "%s/key4.db",
|
||||
mc->pCertificateDatabase+4);
|
||||
- if (!(check_path(pw->pw_uid, pw->pw_gid, filepath, p))) {
|
||||
+ if (!(check_path(mc->user, pw->pw_uid, pw->pw_gid, filepath,
|
||||
+ p))) {
|
||||
ap_log_error(APLOG_MARK, APLOG_ERR, 0, base_server,
|
||||
"Server user %s lacks read access to NSS key "
|
||||
"database %s.", mc->user, filepath);
|
||||
@@ -183,7 +201,8 @@ static void nss_init_SSLLibrary(server_r
|
||||
}
|
||||
apr_snprintf(filepath, 1024, "%s/cert9.db",
|
||||
mc->pCertificateDatabase+4);
|
||||
- if (!(check_path(pw->pw_uid, pw->pw_gid, filepath, p))) {
|
||||
+ if (!(check_path(mc->user, pw->pw_uid, pw->pw_gid, filepath,
|
||||
+ p))) {
|
||||
ap_log_error(APLOG_MARK, APLOG_ERR, 0, base_server,
|
||||
"Server user %s lacks read access to NSS cert "
|
||||
"database %s.", mc->user, filepath);
|
||||
@@ -192,7 +211,8 @@ static void nss_init_SSLLibrary(server_r
|
||||
} else {
|
||||
apr_snprintf(filepath, 1024, "%s/key3.db",
|
||||
mc->pCertificateDatabase);
|
||||
- if (!(check_path(pw->pw_uid, pw->pw_gid, filepath, p))) {
|
||||
+ if (!(check_path(mc->user, pw->pw_uid, pw->pw_gid, filepath,
|
||||
+ p))) {
|
||||
ap_log_error(APLOG_MARK, APLOG_ERR, 0, base_server,
|
||||
"Server user %s lacks read access to NSS key "
|
||||
"database %s.", mc->user, filepath);
|
||||
@@ -200,7 +220,8 @@ static void nss_init_SSLLibrary(server_r
|
||||
}
|
||||
apr_snprintf(filepath, 1024, "%s/cert8.db",
|
||||
mc->pCertificateDatabase);
|
||||
- if (!(check_path(pw->pw_uid, pw->pw_gid, filepath, p))) {
|
||||
+ if (!(check_path(mc->user, pw->pw_uid, pw->pw_gid, filepath,
|
||||
+ p))) {
|
||||
ap_log_error(APLOG_MARK, APLOG_ERR, 0, base_server,
|
||||
"Server user %s lacks read access to NSS cert "
|
||||
"database %s.", mc->user, filepath);
|
||||
@@ -208,7 +229,7 @@ static void nss_init_SSLLibrary(server_r
|
||||
}
|
||||
apr_snprintf(filepath, 1024, "%s/secmod.db",
|
||||
mc->pCertificateDatabase);
|
||||
- if (!(check_path(pw->pw_uid, pw->pw_gid, filepath, p))) {
|
||||
+ if (!(check_path(mc->user, pw->pw_uid, pw->pw_gid, filepath, p))) {
|
||||
ap_log_error(APLOG_MARK, APLOG_ERR, 0, base_server,
|
||||
"Server user %s lacks read access to NSS secmod "
|
||||
"database %s.", mc->user, filepath);
|
@ -1,3 +1,9 @@
|
||||
-------------------------------------------------------------------
|
||||
Mon Dec 11 20:41:26 UTC 2017 - vcizek@suse.com
|
||||
|
||||
- Fix NSS database startup permission check (bsc#1057776)
|
||||
* add 0001-Handle-group-membership-when-testing-for-file-permis.patch
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Thu Dec 7 13:19:08 UTC 2017 - vcizek@suse.com
|
||||
|
||||
|
@ -38,6 +38,7 @@ Source4: README-SUSE.txt
|
||||
Source5: vhost-nss.template
|
||||
Patch1: mod_nss-migrate.patch
|
||||
Patch2: mod_nss-gencert-correct-ownership.patch
|
||||
Patch3: 0001-Handle-group-membership-when-testing-for-file-permis.patch
|
||||
Patch4: mod_nss-gencert_use_ss_instead_of_netstat.patch
|
||||
BuildRequires: apache-rpm-macros
|
||||
BuildRequires: apache2-devel >= 2.2.12
|
||||
@ -76,6 +77,7 @@ security library.
|
||||
%setup -q -n mod_nss-%{version}
|
||||
%patch1 -p1
|
||||
%patch2 -p1
|
||||
%patch3 -p1
|
||||
%patch4 -p1
|
||||
|
||||
# Touch expression parser sources to prevent regenerating it
|
||||
|
Loading…
Reference in New Issue
Block a user