Subversion Repositories suexec-custom

Rev

Rev 2 | Details | Compare with Previous | Last modification | View Log | RSS feed

Rev Author Line No. Line
1 madcat 1
--- suexec.8.orig       2011-07-12 10:38:14.000000000 +0200
2
+++ suexec.8    2011-07-12 11:33:24.000000000 +0200
3
@@ -43,8 +43,12 @@ If suexec is called by a user with name
4
 suexec will abort. By creating several config files, you can allow several
5
 different apache run users to use suexec.
6
 .PP
7
-The first line in the file is used as the document root (/var/www in the
8
-standard suexec) and the second line in the file is used as the suffix that is
9
+The first line in the file is used as the start (the root) of the chroot
10
+jail environment. If you don't want to use a chroot jail you must put
11
+"nochroot" on the first line: the chroot command will be ignored.
12
+.PP
13
+The second line in the file is used as the document root (/var/www in the
14
+standard suexec) and the third line in the file is used as the suffix that is
15
 appended to users' home directories (public_html in standard suexec).
16
 .PP
17
 If any of the lines is commented out (with #), suexec will refuse the
2 madcat 18
--- suexec-custom.config.orig   2013-03-12 17:22:25.835049038 +0100
19
+++ suexec-custom.config        2013-03-12 17:29:10.583054086 +0100
20
@@ -1,7 +1,12 @@
21
+nochroot
22
 /var/www
23
 public_html/cgi-bin
24
-# The first two lines contain the suexec document root and the suexec userdir
25
-# suffix. If one of them is disabled by prepending a # character, suexec will
3 madcat 26
-# refuse the corresponding type of request. 
2 madcat 27
+# The first line contains the path of the chroot jail environment. Use the
28
+# special word nochroot if you don't want to use a chroot jail.
29
+# The second line contains the suexec document root and the third line the
30
+# suexec userdir suffix. If one of them is disabled by prepending a #
31
+# character, suexec will refuse the corresponding type of request.
32
+# You cannot comment out the first line: use a path for the chroot jail or
33
+# the nochroot parameter.
34
 # This config file is only used by the apache2-suexec-custom package. See the
35
 # suexec man page included in the package for more details.
1 madcat 36
--- suexec-custom.c.orig        2011-07-12 10:38:14.000000000 +0200
37
+++ suexec-custom.c     2011-07-12 11:32:59.000000000 +0200
38
@@ -288,6 +288,7 @@ int main(int argc, char *argv[])
39
     struct stat dir_info;   /* directory info holder     */
40
     struct stat prg_info;   /* program info holder       */
41
     int cwdh;               /* handle to cwd             */
42
+    char *suexec_chroot         = NULL;
43
     char *suexec_docroot        = NULL;
44
     char *suexec_userdir_suffix = NULL;
45
     char *filename              = NULL;
46
@@ -382,9 +383,10 @@ int main(int argc, char *argv[])
47
      * If not, error out.
48
      */
49
     filename = malloc(AP_MAXPATH+1);
50
+    suexec_chroot = malloc(AP_MAXPATH+1);
51
     suexec_docroot = malloc(AP_MAXPATH+1);
52
     suexec_userdir_suffix = malloc(AP_MAXPATH+1);
53
-    if (!filename || !suexec_docroot || !suexec_userdir_suffix) {
54
+    if (!filename || !suexec_chroot || !suexec_docroot || !suexec_userdir_suffix) {
55
         log_err("malloc failed\n");
56
        exit(120);
57
     }
58
@@ -399,6 +401,11 @@ int main(int argc, char *argv[])
59
        exit(123);
60
     }
61
 
62
+    if (!read_line(suexec_chroot, configfile)) {
63
+       log_err("Could not read chroot from %s\n", filename);
64
+       exit(300);
65
+    }
66
+
67
     if (!read_line(suexec_docroot, configfile)) {
68
        log_err("Could not read docroot from %s\n", filename);
69
        exit(124);
70
@@ -527,6 +534,15 @@ int main(int argc, char *argv[])
71
         exit(108);
72
     }
73
 
74
+    getcwd(cwd, AP_MAXPATH);
75
+    if (strcmp(suexec_chroot, "nochroot")) {
76
+        if (chroot(suexec_chroot)!=0) {
77
+            log_err("chroot on %s failed!\n", suexec_chroot);
78
+            exit(301);
79
+        };
80
+    };
81
+    chdir(cwd);
82
+
83
     /*
84
      * Change UID/GID here so that the following tests work over NFS.
85
      *