apache: revisit suEXEC setup
When adding suEXEC to the apache package, Alpine's package [1] served as a template. Not enough attention was paid to the details. Alpine uses a different layout. So for OpenWrt to use /var/www as DocumentRoot does not make sense. /var is also volatile on OpenWrt. This commit removes the configure argument. The default is htdocsdir. This also does away with uidmin/gidmin 99. The default is 100, which is fine. Finally, the suexec binary is moved from /usr/sbin to /usr/lib/apache2/suexec_dir. Upstream recommends installing suexec with "4750" (see [2]) and the group set to the user's group. While that would be possible, it would cause a few headaches on OpenWrt. The group would need to be changed first in a post-install script and a call to chmod would need to be made afterward, to make the binary SUID again. It's easier to hide the SUID binary away from others in a directory. This way we don't need to use chmod in the post-install script. [1] https://github.com/alpinelinux/aports/tree/master/main/apache2 [2] https://httpd.apache.org/docs/2.4/suexec.html Signed-off-by: Sebastian Kemper <sebastian_ml@gmx.net>
This commit is contained in:
Sebastian Kemper
parent
dbaad2fa44
commit
07db6b4a39
1 changed files with 22 additions and 8 deletions
|
|
@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk
|
|||
|
||||
PKG_NAME:=apache
|
||||
PKG_VERSION:=2.4.43
|
||||
PKG_RELEASE:=1
|
||||
PKG_RELEASE:=2
|
||||
PKG_SOURCE_NAME:=httpd
|
||||
|
||||
PKG_SOURCE:=$(PKG_SOURCE_NAME)-$(PKG_VERSION).tar.bz2
|
||||
|
|
@ -246,12 +246,9 @@ endif
|
|||
ifneq ($(CONFIG_PACKAGE_apache-mod-suexec)$(CONFIG_PACKAGE_apache-suexec),)
|
||||
CONFIGURE_ARGS+= \
|
||||
--enable-suexec \
|
||||
--with-suexec-bin=/usr/sbin/suexec \
|
||||
--with-suexec-bin=/usr/lib/apache2/suexec_dir/suexec \
|
||||
--with-suexec-caller=apache \
|
||||
--with-suexec-docroot=/var/www \
|
||||
--with-suexec-logfile=/var/log/apache2/suexec.log \
|
||||
--with-suexec-uidmin=99 \
|
||||
--with-suexec-gidmin=99
|
||||
--with-suexec-logfile=/var/log/apache2/suexec.log
|
||||
else
|
||||
CONFIGURE_ARGS+= \
|
||||
--disable-suexec
|
||||
|
|
@ -331,8 +328,9 @@ define Package/apache-icons/install
|
|||
endef
|
||||
|
||||
define Package/apache-suexec/install
|
||||
$(INSTALL_DIR) $(1)/usr/sbin
|
||||
$(CP) $(PKG_INSTALL_DIR)/usr/sbin/suexec $(1)/usr/sbin
|
||||
$(INSTALL_DIR) -m0750 $(1)/usr/lib/apache2/suexec_dir
|
||||
$(INSTALL_SUID) $(PKG_INSTALL_DIR)/usr/sbin/suexec \
|
||||
$(1)/usr/lib/apache2/suexec_dir
|
||||
endef
|
||||
|
||||
define Package/apache-utils/install
|
||||
|
|
@ -342,6 +340,22 @@ define Package/apache-utils/install
|
|||
$(1)/usr/sbin
|
||||
endef
|
||||
|
||||
# Directory "suexec_dir" is installed with '-m0750' above and contains
|
||||
# SUID binary "suexec". Below post-install script changes the group of
|
||||
# "suexec_dir" to apache, so user apache can access the folder (and the
|
||||
# SUID binary). The script only changes the group if the directory is
|
||||
# currently owned by "root:root".
|
||||
define Package/apache-suexec/postinst
|
||||
#!/bin/sh
|
||||
if [ -z "$${IPKG_INSTROOT}" ]; then
|
||||
dir="/usr/lib/apache2/suexec_dir"
|
||||
if ! [ -L "$$dir" ] && [ -d "$$dir" ] && [ -O "$$dir" ] && [ -G "$$dir" ]; then
|
||||
chown :apache "$$dir"
|
||||
fi
|
||||
fi
|
||||
exit 0
|
||||
endef
|
||||
|
||||
define Package/apache/Module
|
||||
define Package/apache-mod-$(1)
|
||||
$(call Package/apache/Default)
|
||||
|
|
|
|||
Loading…
Reference in a new issue