diff --git a/0001-Handle-group-membership-when-testing-for-file-permis.patch b/0001-Handle-group-membership-when-testing-for-file-permis.patch new file mode 100644 index 0000000..750b50d --- /dev/null +++ b/0001-Handle-group-membership-when-testing-for-file-permis.patch @@ -0,0 +1,121 @@ +From 665a696088324176b7902d6338171078e6d37318 Mon Sep 17 00:00:00 2001 +From: Rob Crittenden +Date: Thu, 23 Feb 2017 13:06:21 -0500 +Subject: [PATCH] Handle group membership when testing for file permissions + +This was a bit of a corner case but group membership wasn't +considered when trying to determine if the NSS databases are +readable. + +Resolves BZ 1395300 +--- + nss_engine_init.c | 45 +++++++++++++++++++++++++++++++++------------ + 1 file changed, 33 insertions(+), 12 deletions(-) + +Index: mod_nss-1.0.14/nss_engine_init.c +=================================================================== +--- mod_nss-1.0.14.orig/nss_engine_init.c 2017-12-11 21:44:07.051660014 +0100 ++++ mod_nss-1.0.14/nss_engine_init.c 2017-12-11 21:47:22.698850519 +0100 +@@ -29,6 +29,7 @@ + #include "cert.h" + #include + #include ++#include + + static SECStatus ownBadCertHandler(void *arg, PRFileDesc * socket); + static SECStatus ownHandshakeCallback(PRFileDesc * socket, void *arg); +@@ -57,22 +58,38 @@ static char *version_components[] = { + * Return 0 on failure or file doesn't exist + * Return 1 on success + */ +-static int check_path(uid_t uid, gid_t gid, char *filepath, apr_pool_t *p) ++static int check_path(const char *user, uid_t uid, gid_t gid, char *filepath, ++ apr_pool_t *p) + { + apr_finfo_t finfo; +- int rv; ++ PRBool in_group = PR_FALSE; ++ struct group *gr; ++ int i = 0; ++ ++ if ((apr_stat(&finfo, filepath, APR_FINFO_PROT | APR_FINFO_OWNER, p)) ++ == APR_SUCCESS) { ++ if ((gr = getgrgid(finfo.group)) == NULL) { ++ return 0; ++ } + +- if ((rv = apr_stat(&finfo, filepath, APR_FINFO_PROT | APR_FINFO_OWNER, +- p)) == APR_SUCCESS) { ++ if (gid == finfo.group) { ++ in_group = PR_TRUE; ++ } else { ++ while ((gr->gr_mem != NULL) && (gr->gr_mem[i] != NULL)) { ++ if (!strcasecmp(user, gr->gr_mem[i++])) { ++ in_group = PR_TRUE; ++ break; ++ } ++ } ++ } + if (((uid == finfo.user) && + ((finfo.protection & APR_FPROT_UREAD))) || +- ((gid == finfo.group) && +- ((finfo.protection & APR_FPROT_GREAD))) ++ (in_group && (finfo.protection & APR_FPROT_GREAD)) || ++ (finfo.protection & APR_FPROT_WREAD) + ) + { + return 1; + } +- return 0; + } + return 0; + } +@@ -175,7 +192,8 @@ static void nss_init_SSLLibrary(server_r + if (strncasecmp(mc->pCertificateDatabase, "sql:", 4) == 0) { + apr_snprintf(filepath, 1024, "%s/key4.db", + mc->pCertificateDatabase+4); +- if (!(check_path(pw->pw_uid, pw->pw_gid, filepath, p))) { ++ if (!(check_path(mc->user, pw->pw_uid, pw->pw_gid, filepath, ++ p))) { + ap_log_error(APLOG_MARK, APLOG_ERR, 0, base_server, + "Server user %s lacks read access to NSS key " + "database %s.", mc->user, filepath); +@@ -183,7 +201,8 @@ static void nss_init_SSLLibrary(server_r + } + apr_snprintf(filepath, 1024, "%s/cert9.db", + mc->pCertificateDatabase+4); +- if (!(check_path(pw->pw_uid, pw->pw_gid, filepath, p))) { ++ if (!(check_path(mc->user, pw->pw_uid, pw->pw_gid, filepath, ++ p))) { + ap_log_error(APLOG_MARK, APLOG_ERR, 0, base_server, + "Server user %s lacks read access to NSS cert " + "database %s.", mc->user, filepath); +@@ -192,7 +211,8 @@ static void nss_init_SSLLibrary(server_r + } else { + apr_snprintf(filepath, 1024, "%s/key3.db", + mc->pCertificateDatabase); +- if (!(check_path(pw->pw_uid, pw->pw_gid, filepath, p))) { ++ if (!(check_path(mc->user, pw->pw_uid, pw->pw_gid, filepath, ++ p))) { + ap_log_error(APLOG_MARK, APLOG_ERR, 0, base_server, + "Server user %s lacks read access to NSS key " + "database %s.", mc->user, filepath); +@@ -200,7 +220,8 @@ static void nss_init_SSLLibrary(server_r + } + apr_snprintf(filepath, 1024, "%s/cert8.db", + mc->pCertificateDatabase); +- if (!(check_path(pw->pw_uid, pw->pw_gid, filepath, p))) { ++ if (!(check_path(mc->user, pw->pw_uid, pw->pw_gid, filepath, ++ p))) { + ap_log_error(APLOG_MARK, APLOG_ERR, 0, base_server, + "Server user %s lacks read access to NSS cert " + "database %s.", mc->user, filepath); +@@ -208,7 +229,7 @@ static void nss_init_SSLLibrary(server_r + } + apr_snprintf(filepath, 1024, "%s/secmod.db", + mc->pCertificateDatabase); +- if (!(check_path(pw->pw_uid, pw->pw_gid, filepath, p))) { ++ if (!(check_path(mc->user, pw->pw_uid, pw->pw_gid, filepath, p))) { + ap_log_error(APLOG_MARK, APLOG_ERR, 0, base_server, + "Server user %s lacks read access to NSS secmod " + "database %s.", mc->user, filepath); diff --git a/apache2-mod_nss.changes b/apache2-mod_nss.changes index 9b06d92..7d7de31 100644 --- a/apache2-mod_nss.changes +++ b/apache2-mod_nss.changes @@ -1,3 +1,9 @@ +------------------------------------------------------------------- +Mon Dec 11 20:41:26 UTC 2017 - vcizek@suse.com + +- Fix NSS database startup permission check (bsc#1057776) + * add 0001-Handle-group-membership-when-testing-for-file-permis.patch + ------------------------------------------------------------------- Thu Dec 7 13:19:08 UTC 2017 - vcizek@suse.com diff --git a/apache2-mod_nss.spec b/apache2-mod_nss.spec index b17936a..7b7f98d 100644 --- a/apache2-mod_nss.spec +++ b/apache2-mod_nss.spec @@ -38,6 +38,7 @@ Source4: README-SUSE.txt Source5: vhost-nss.template Patch1: mod_nss-migrate.patch Patch2: mod_nss-gencert-correct-ownership.patch +Patch3: 0001-Handle-group-membership-when-testing-for-file-permis.patch Patch4: mod_nss-gencert_use_ss_instead_of_netstat.patch BuildRequires: apache-rpm-macros BuildRequires: apache2-devel >= 2.2.12 @@ -76,6 +77,7 @@ security library. %setup -q -n mod_nss-%{version} %patch1 -p1 %patch2 -p1 +%patch3 -p1 %patch4 -p1 # Touch expression parser sources to prevent regenerating it