pool/apache2-mod_nss
SHA256
2
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Accepting request 556094 from home:vitezslav_cizek:branches:Apache:Modules

Browse Source 
- Fix NSS database startup permission check (bsc#1057776)
  * add 0001-Handle-group-membership-when-testing-for-file-permis.patch

OBS-URL: https://build.opensuse.org/request/show/556094
OBS-URL: https://build.opensuse.org/package/show/Apache:Modules/apache2-mod_nss?expand=0&rev=36
This commit is contained in:
Petr Gajdos 2017-12-12 07:51:19 +00:00 committed by Git OBS Bridge
parent 5e843b3524
commit 97948eaa24
3 changed files with 129 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

121
0001-Handle-group-membership-when-testing-for-file-permis.patch Normal file
View File

@ -0,0 +1,121 @@
From 665a696088324176b7902d6338171078e6d37318 Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Thu, 23 Feb 2017 13:06:21 -0500
Subject: [PATCH] Handle group membership when testing for file permissions
This was a bit of a corner case but group membership wasn't
considered when trying to determine if the NSS databases are
readable.
Resolves BZ 1395300
---
nss_engine_init.c | 45 +++++++++++++++++++++++++++++++++------------
1 file changed, 33 insertions(+), 12 deletions(-)
Index: mod_nss-1.0.14/nss_engine_init.c
===================================================================
--- mod_nss-1.0.14.orig/nss_engine_init.c 2017-12-11 21:44:07.051660014 +0100
+++ mod_nss-1.0.14/nss_engine_init.c 2017-12-11 21:47:22.698850519 +0100
@@ -29,6 +29,7 @@
#include "cert.h"
#include <sys/types.h>
#include <pwd.h>
+#include <grp.h>
static SECStatus ownBadCertHandler(void *arg, PRFileDesc * socket);
static SECStatus ownHandshakeCallback(PRFileDesc * socket, void *arg);
@@ -57,22 +58,38 @@ static char *version_components[] = {
* Return 0 on failure or file doesn't exist
* Return 1 on success
*/
-static int check_path(uid_t uid, gid_t gid, char *filepath, apr_pool_t *p)
+static int check_path(const char *user, uid_t uid, gid_t gid, char *filepath,
+ apr_pool_t *p)
{
apr_finfo_t finfo;
- int rv;
+ PRBool in_group = PR_FALSE;
+ struct group *gr;
+ int i = 0;
+
+ if ((apr_stat(&finfo, filepath, APR_FINFO_PROT | APR_FINFO_OWNER, p))
+ == APR_SUCCESS) {
+ if ((gr = getgrgid(finfo.group)) == NULL) {
+ return 0;
+ }
- if ((rv = apr_stat(&finfo, filepath, APR_FINFO_PROT | APR_FINFO_OWNER,
- p)) == APR_SUCCESS) {
+ if (gid == finfo.group) {
+ in_group = PR_TRUE;
+ } else {
+ while ((gr->gr_mem != NULL) && (gr->gr_mem[i] != NULL)) {
+ if (!strcasecmp(user, gr->gr_mem[i++])) {
+ in_group = PR_TRUE;
+ break;
+ }
+ }
+ }
if (((uid == finfo.user) &&
((finfo.protection & APR_FPROT_UREAD))) ||
- ((gid == finfo.group) &&
- ((finfo.protection & APR_FPROT_GREAD)))
+ (in_group && (finfo.protection & APR_FPROT_GREAD)) ||
+ (finfo.protection & APR_FPROT_WREAD)
)
{
return 1;
}
- return 0;
}
return 0;
}
@@ -175,7 +192,8 @@ static void nss_init_SSLLibrary(server_r
if (strncasecmp(mc->pCertificateDatabase, "sql:", 4) == 0) {
apr_snprintf(filepath, 1024, "%s/key4.db",
mc->pCertificateDatabase+4);
- if (!(check_path(pw->pw_uid, pw->pw_gid, filepath, p))) {
+ if (!(check_path(mc->user, pw->pw_uid, pw->pw_gid, filepath,
+ p))) {
ap_log_error(APLOG_MARK, APLOG_ERR, 0, base_server,
"Server user %s lacks read access to NSS key "
"database %s.", mc->user, filepath);
@@ -183,7 +201,8 @@ static void nss_init_SSLLibrary(server_r
}
apr_snprintf(filepath, 1024, "%s/cert9.db",
mc->pCertificateDatabase+4);
- if (!(check_path(pw->pw_uid, pw->pw_gid, filepath, p))) {
+ if (!(check_path(mc->user, pw->pw_uid, pw->pw_gid, filepath,
+ p))) {
ap_log_error(APLOG_MARK, APLOG_ERR, 0, base_server,
"Server user %s lacks read access to NSS cert "
"database %s.", mc->user, filepath);
@@ -192,7 +211,8 @@ static void nss_init_SSLLibrary(server_r
} else {
apr_snprintf(filepath, 1024, "%s/key3.db",
mc->pCertificateDatabase);
- if (!(check_path(pw->pw_uid, pw->pw_gid, filepath, p))) {
+ if (!(check_path(mc->user, pw->pw_uid, pw->pw_gid, filepath,
+ p))) {
ap_log_error(APLOG_MARK, APLOG_ERR, 0, base_server,
"Server user %s lacks read access to NSS key "
"database %s.", mc->user, filepath);
@@ -200,7 +220,8 @@ static void nss_init_SSLLibrary(server_r
}
apr_snprintf(filepath, 1024, "%s/cert8.db",
mc->pCertificateDatabase);
- if (!(check_path(pw->pw_uid, pw->pw_gid, filepath, p))) {
+ if (!(check_path(mc->user, pw->pw_uid, pw->pw_gid, filepath,
+ p))) {
ap_log_error(APLOG_MARK, APLOG_ERR, 0, base_server,
"Server user %s lacks read access to NSS cert "
"database %s.", mc->user, filepath);
@@ -208,7 +229,7 @@ static void nss_init_SSLLibrary(server_r
}
apr_snprintf(filepath, 1024, "%s/secmod.db",
mc->pCertificateDatabase);
- if (!(check_path(pw->pw_uid, pw->pw_gid, filepath, p))) {
+ if (!(check_path(mc->user, pw->pw_uid, pw->pw_gid, filepath, p))) {
ap_log_error(APLOG_MARK, APLOG_ERR, 0, base_server,
"Server user %s lacks read access to NSS secmod "
"database %s.", mc->user, filepath);

6
apache2-mod_nss.changes
View File

@ -1,3 +1,9 @@
-------------------------------------------------------------------
Mon Dec 11 20:41:26 UTC 2017 - vcizek@suse.com
- Fix NSS database startup permission check (bsc#1057776)
* add 0001-Handle-group-membership-when-testing-for-file-permis.patch
-------------------------------------------------------------------
Thu Dec 7 13:19:08 UTC 2017 - vcizek@suse.com

2
apache2-mod_nss.spec
View File

@ -38,6 +38,7 @@ Source4: README-SUSE.txt
Source5: vhost-nss.template
Patch1: mod_nss-migrate.patch
Patch2: mod_nss-gencert-correct-ownership.patch
Patch3: 0001-Handle-group-membership-when-testing-for-file-permis.patch
Patch4: mod_nss-gencert_use_ss_instead_of_netstat.patch
BuildRequires: apache-rpm-macros
BuildRequires: apache2-devel >= 2.2.12
@ -76,6 +77,7 @@ security library.
%setup -q -n mod_nss-%{version}
%patch1 -p1
%patch2 -p1
%patch3 -p1
%patch4 -p1
# Touch expression parser sources to prevent regenerating it