forked from pool/apache2-mod_nss
Petr Gajdos
97948eaa24
- Fix NSS database startup permission check (bsc#1057776) * add 0001-Handle-group-membership-when-testing-for-file-permis.patch OBS-URL: https://build.opensuse.org/request/show/556094 OBS-URL: https://build.opensuse.org/package/show/Apache:Modules/apache2-mod_nss?expand=0&rev=36
122 lines
5.3 KiB
Diff
122 lines
5.3 KiB
Diff
From 665a696088324176b7902d6338171078e6d37318 Mon Sep 17 00:00:00 2001
|
|
From: Rob Crittenden <rcritten@redhat.com>
|
|
Date: Thu, 23 Feb 2017 13:06:21 -0500
|
|
Subject: [PATCH] Handle group membership when testing for file permissions
|
|
|
|
This was a bit of a corner case but group membership wasn't
|
|
considered when trying to determine if the NSS databases are
|
|
readable.
|
|
|
|
Resolves BZ 1395300
|
|
---
|
|
nss_engine_init.c | 45 +++++++++++++++++++++++++++++++++------------
|
|
1 file changed, 33 insertions(+), 12 deletions(-)
|
|
|
|
Index: mod_nss-1.0.14/nss_engine_init.c
|
|
===================================================================
|
|
--- mod_nss-1.0.14.orig/nss_engine_init.c 2017-12-11 21:44:07.051660014 +0100
|
|
+++ mod_nss-1.0.14/nss_engine_init.c 2017-12-11 21:47:22.698850519 +0100
|
|
@@ -29,6 +29,7 @@
|
|
#include "cert.h"
|
|
#include <sys/types.h>
|
|
#include <pwd.h>
|
|
+#include <grp.h>
|
|
|
|
static SECStatus ownBadCertHandler(void *arg, PRFileDesc * socket);
|
|
static SECStatus ownHandshakeCallback(PRFileDesc * socket, void *arg);
|
|
@@ -57,22 +58,38 @@ static char *version_components[] = {
|
|
* Return 0 on failure or file doesn't exist
|
|
* Return 1 on success
|
|
*/
|
|
-static int check_path(uid_t uid, gid_t gid, char *filepath, apr_pool_t *p)
|
|
+static int check_path(const char *user, uid_t uid, gid_t gid, char *filepath,
|
|
+ apr_pool_t *p)
|
|
{
|
|
apr_finfo_t finfo;
|
|
- int rv;
|
|
+ PRBool in_group = PR_FALSE;
|
|
+ struct group *gr;
|
|
+ int i = 0;
|
|
+
|
|
+ if ((apr_stat(&finfo, filepath, APR_FINFO_PROT | APR_FINFO_OWNER, p))
|
|
+ == APR_SUCCESS) {
|
|
+ if ((gr = getgrgid(finfo.group)) == NULL) {
|
|
+ return 0;
|
|
+ }
|
|
|
|
- if ((rv = apr_stat(&finfo, filepath, APR_FINFO_PROT | APR_FINFO_OWNER,
|
|
- p)) == APR_SUCCESS) {
|
|
+ if (gid == finfo.group) {
|
|
+ in_group = PR_TRUE;
|
|
+ } else {
|
|
+ while ((gr->gr_mem != NULL) && (gr->gr_mem[i] != NULL)) {
|
|
+ if (!strcasecmp(user, gr->gr_mem[i++])) {
|
|
+ in_group = PR_TRUE;
|
|
+ break;
|
|
+ }
|
|
+ }
|
|
+ }
|
|
if (((uid == finfo.user) &&
|
|
((finfo.protection & APR_FPROT_UREAD))) ||
|
|
- ((gid == finfo.group) &&
|
|
- ((finfo.protection & APR_FPROT_GREAD)))
|
|
+ (in_group && (finfo.protection & APR_FPROT_GREAD)) ||
|
|
+ (finfo.protection & APR_FPROT_WREAD)
|
|
)
|
|
{
|
|
return 1;
|
|
}
|
|
- return 0;
|
|
}
|
|
return 0;
|
|
}
|
|
@@ -175,7 +192,8 @@ static void nss_init_SSLLibrary(server_r
|
|
if (strncasecmp(mc->pCertificateDatabase, "sql:", 4) == 0) {
|
|
apr_snprintf(filepath, 1024, "%s/key4.db",
|
|
mc->pCertificateDatabase+4);
|
|
- if (!(check_path(pw->pw_uid, pw->pw_gid, filepath, p))) {
|
|
+ if (!(check_path(mc->user, pw->pw_uid, pw->pw_gid, filepath,
|
|
+ p))) {
|
|
ap_log_error(APLOG_MARK, APLOG_ERR, 0, base_server,
|
|
"Server user %s lacks read access to NSS key "
|
|
"database %s.", mc->user, filepath);
|
|
@@ -183,7 +201,8 @@ static void nss_init_SSLLibrary(server_r
|
|
}
|
|
apr_snprintf(filepath, 1024, "%s/cert9.db",
|
|
mc->pCertificateDatabase+4);
|
|
- if (!(check_path(pw->pw_uid, pw->pw_gid, filepath, p))) {
|
|
+ if (!(check_path(mc->user, pw->pw_uid, pw->pw_gid, filepath,
|
|
+ p))) {
|
|
ap_log_error(APLOG_MARK, APLOG_ERR, 0, base_server,
|
|
"Server user %s lacks read access to NSS cert "
|
|
"database %s.", mc->user, filepath);
|
|
@@ -192,7 +211,8 @@ static void nss_init_SSLLibrary(server_r
|
|
} else {
|
|
apr_snprintf(filepath, 1024, "%s/key3.db",
|
|
mc->pCertificateDatabase);
|
|
- if (!(check_path(pw->pw_uid, pw->pw_gid, filepath, p))) {
|
|
+ if (!(check_path(mc->user, pw->pw_uid, pw->pw_gid, filepath,
|
|
+ p))) {
|
|
ap_log_error(APLOG_MARK, APLOG_ERR, 0, base_server,
|
|
"Server user %s lacks read access to NSS key "
|
|
"database %s.", mc->user, filepath);
|
|
@@ -200,7 +220,8 @@ static void nss_init_SSLLibrary(server_r
|
|
}
|
|
apr_snprintf(filepath, 1024, "%s/cert8.db",
|
|
mc->pCertificateDatabase);
|
|
- if (!(check_path(pw->pw_uid, pw->pw_gid, filepath, p))) {
|
|
+ if (!(check_path(mc->user, pw->pw_uid, pw->pw_gid, filepath,
|
|
+ p))) {
|
|
ap_log_error(APLOG_MARK, APLOG_ERR, 0, base_server,
|
|
"Server user %s lacks read access to NSS cert "
|
|
"database %s.", mc->user, filepath);
|
|
@@ -208,7 +229,7 @@ static void nss_init_SSLLibrary(server_r
|
|
}
|
|
apr_snprintf(filepath, 1024, "%s/secmod.db",
|
|
mc->pCertificateDatabase);
|
|
- if (!(check_path(pw->pw_uid, pw->pw_gid, filepath, p))) {
|
|
+ if (!(check_path(mc->user, pw->pw_uid, pw->pw_gid, filepath, p))) {
|
|
ap_log_error(APLOG_MARK, APLOG_ERR, 0, base_server,
|
|
"Server user %s lacks read access to NSS secmod "
|
|
"database %s.", mc->user, filepath);
|