From 665a696088324176b7902d6338171078e6d37318 Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Thu, 23 Feb 2017 13:06:21 -0500
Subject: [PATCH] Handle group membership when testing for file permissions

This was a bit of a corner case but group membership wasn't
considered when trying to determine if the NSS databases are
readable.

Resolves BZ 1395300
---
 nss_engine_init.c | 45 +++++++++++++++++++++++++++++++++------------
 1 file changed, 33 insertions(+), 12 deletions(-)

Index: mod_nss-1.0.14/nss_engine_init.c
===================================================================
--- mod_nss-1.0.14.orig/nss_engine_init.c	2017-12-11 21:44:07.051660014 +0100
+++ mod_nss-1.0.14/nss_engine_init.c	2017-12-11 21:47:22.698850519 +0100
@@ -29,6 +29,7 @@
 #include "cert.h"
 #include <sys/types.h>
 #include <pwd.h>
+#include <grp.h>
 
 static SECStatus ownBadCertHandler(void *arg, PRFileDesc * socket);
 static SECStatus ownHandshakeCallback(PRFileDesc * socket, void *arg);
@@ -57,22 +58,38 @@ static char *version_components[] = {
  * Return 0 on failure or file doesn't exist
  * Return 1 on success
  */
-static int check_path(uid_t uid, gid_t gid, char *filepath, apr_pool_t *p)
+static int check_path(const char *user, uid_t uid, gid_t gid, char *filepath,
+                      apr_pool_t *p)
 {
     apr_finfo_t finfo;
-    int rv;
+    PRBool in_group = PR_FALSE;
+    struct group *gr;
+    int i = 0;
+
+    if ((apr_stat(&finfo, filepath, APR_FINFO_PROT | APR_FINFO_OWNER, p))
+        == APR_SUCCESS) {
+        if ((gr = getgrgid(finfo.group)) == NULL) {
+            return 0;
+        }
 
-    if ((rv = apr_stat(&finfo, filepath, APR_FINFO_PROT | APR_FINFO_OWNER,
-         p)) == APR_SUCCESS) {
+        if (gid == finfo.group) {
+            in_group = PR_TRUE;
+        } else {
+            while ((gr->gr_mem != NULL) && (gr->gr_mem[i] != NULL)) {
+                if (!strcasecmp(user, gr->gr_mem[i++])) {
+                    in_group = PR_TRUE;
+                    break;
+                }
+            }
+        }
         if (((uid == finfo.user) &&
             ((finfo.protection & APR_FPROT_UREAD))) ||
-            ((gid == finfo.group) &&
-                ((finfo.protection & APR_FPROT_GREAD)))
+            (in_group && (finfo.protection & APR_FPROT_GREAD)) ||
+            (finfo.protection & APR_FPROT_WREAD)
            )
         {
             return 1;
         }
-        return 0;
     }
     return 0;
 }
@@ -175,7 +192,8 @@ static void nss_init_SSLLibrary(server_r
             if (strncasecmp(mc->pCertificateDatabase, "sql:", 4) == 0) {
                 apr_snprintf(filepath, 1024, "%s/key4.db",
                              mc->pCertificateDatabase+4);
-                if (!(check_path(pw->pw_uid, pw->pw_gid, filepath, p))) {
+                if (!(check_path(mc->user, pw->pw_uid, pw->pw_gid, filepath,
+                      p))) {
                     ap_log_error(APLOG_MARK, APLOG_ERR, 0, base_server,
                         "Server user %s lacks read access to NSS key "
                         "database %s.", mc->user, filepath);
@@ -183,7 +201,8 @@ static void nss_init_SSLLibrary(server_r
                 }
                 apr_snprintf(filepath, 1024, "%s/cert9.db",
                              mc->pCertificateDatabase+4);
-                if (!(check_path(pw->pw_uid, pw->pw_gid, filepath, p))) {
+                if (!(check_path(mc->user, pw->pw_uid, pw->pw_gid, filepath,
+                      p))) {
                     ap_log_error(APLOG_MARK, APLOG_ERR, 0, base_server,
                         "Server user %s lacks read access to NSS cert "
                         "database %s.", mc->user, filepath);
@@ -192,7 +211,8 @@ static void nss_init_SSLLibrary(server_r
             } else {
                 apr_snprintf(filepath, 1024, "%s/key3.db",
                              mc->pCertificateDatabase);
-                if (!(check_path(pw->pw_uid, pw->pw_gid, filepath, p))) {
+                if (!(check_path(mc->user, pw->pw_uid, pw->pw_gid, filepath,
+                      p))) {
                     ap_log_error(APLOG_MARK, APLOG_ERR, 0, base_server,
                         "Server user %s lacks read access to NSS key "
                         "database %s.", mc->user, filepath);
@@ -200,7 +220,8 @@ static void nss_init_SSLLibrary(server_r
                 }
                 apr_snprintf(filepath, 1024, "%s/cert8.db",
                              mc->pCertificateDatabase);
-                if (!(check_path(pw->pw_uid, pw->pw_gid, filepath, p))) {
+                if (!(check_path(mc->user, pw->pw_uid, pw->pw_gid, filepath,
+                      p))) {
                     ap_log_error(APLOG_MARK, APLOG_ERR, 0, base_server,
                         "Server user %s lacks read access to NSS cert "
                         "database %s.", mc->user, filepath);
@@ -208,7 +229,7 @@ static void nss_init_SSLLibrary(server_r
                 }
                 apr_snprintf(filepath, 1024, "%s/secmod.db",
                              mc->pCertificateDatabase);
-                if (!(check_path(pw->pw_uid, pw->pw_gid, filepath, p))) {
+                if (!(check_path(mc->user, pw->pw_uid, pw->pw_gid, filepath, p))) {
                     ap_log_error(APLOG_MARK, APLOG_ERR, 0, base_server,
                         "Server user %s lacks read access to NSS secmod "
                         "database %s.", mc->user, filepath);