Subversion Repositories suexec-custom

Rev

Rev 1 | Go to most recent revision | Blame | Compare with Previous | Last modification | View Log | RSS feed

--- suexec.8.orig       2011-07-12 10:38:14.000000000 +0200
+++ suexec.8    2011-07-12 11:33:24.000000000 +0200
@@ -43,8 +43,12 @@ If suexec is called by a user with name
 suexec will abort. By creating several config files, you can allow several
 different apache run users to use suexec.
 .PP
-The first line in the file is used as the document root (/var/www in the
-standard suexec) and the second line in the file is used as the suffix that is
+The first line in the file is used as the start (the root) of the chroot
+jail environment. If you don't want to use a chroot jail you must put
+"nochroot" on the first line: the chroot command will be ignored.
+.PP
+The second line in the file is used as the document root (/var/www in the
+standard suexec) and the third line in the file is used as the suffix that is
 appended to users' home directories (public_html in standard suexec).
 .PP
 If any of the lines is commented out (with #), suexec will refuse the
--- suexec-custom.config.orig   2013-03-12 17:22:25.835049038 +0100
+++ suexec-custom.config        2013-03-12 17:29:10.583054086 +0100
@@ -1,7 +1,12 @@
+nochroot
 /var/www
 public_html/cgi-bin
-# The first two lines contain the suexec document root and the suexec userdir
-# suffix. If one of them is disabled by prepending a # character, suexec will
-# refuse the corresponding type of request.
+# The first line contains the path of the chroot jail environment. Use the
+# special word nochroot if you don't want to use a chroot jail.
+# The second line contains the suexec document root and the third line the
+# suexec userdir suffix. If one of them is disabled by prepending a #
+# character, suexec will refuse the corresponding type of request.
+# You cannot comment out the first line: use a path for the chroot jail or
+# the nochroot parameter.
 # This config file is only used by the apache2-suexec-custom package. See the
 # suexec man page included in the package for more details.
--- suexec-custom.c.orig        2011-07-12 10:38:14.000000000 +0200
+++ suexec-custom.c     2011-07-12 11:32:59.000000000 +0200
@@ -288,6 +288,7 @@ int main(int argc, char *argv[])
     struct stat dir_info;   /* directory info holder     */
     struct stat prg_info;   /* program info holder       */
     int cwdh;               /* handle to cwd             */
+    char *suexec_chroot         = NULL;
     char *suexec_docroot        = NULL;
     char *suexec_userdir_suffix = NULL;
     char *filename              = NULL;
@@ -382,9 +383,10 @@ int main(int argc, char *argv[])
      * If not, error out.
      */
     filename = malloc(AP_MAXPATH+1);
+    suexec_chroot = malloc(AP_MAXPATH+1);
     suexec_docroot = malloc(AP_MAXPATH+1);
     suexec_userdir_suffix = malloc(AP_MAXPATH+1);
-    if (!filename || !suexec_docroot || !suexec_userdir_suffix) {
+    if (!filename || !suexec_chroot || !suexec_docroot || !suexec_userdir_suffix) {
         log_err("malloc failed\n");
        exit(120);
     }
@@ -399,6 +401,11 @@ int main(int argc, char *argv[])
        exit(123);
     }
 
+    if (!read_line(suexec_chroot, configfile)) {
+       log_err("Could not read chroot from %s\n", filename);
+       exit(300);
+    }
+
     if (!read_line(suexec_docroot, configfile)) {
        log_err("Could not read docroot from %s\n", filename);
        exit(124);
@@ -527,6 +534,15 @@ int main(int argc, char *argv[])
         exit(108);
     }
 
+    getcwd(cwd, AP_MAXPATH);
+    if (strcmp(suexec_chroot, "nochroot")) {
+        if (chroot(suexec_chroot)!=0) {
+            log_err("chroot on %s failed!\n", suexec_chroot);
+            exit(301);
+        };
+    };
+    chdir(cwd);
+
     /*
      * Change UID/GID here so that the following tests work over NFS.
      *