*** src/support/suexec.c.orig Tue Apr 21 15:14:06 1998
--- src/support/suexec.c Fri May 22 17:59:43 1998
***************
*** 70,75 ****
--- 70,98 ----
*
*
*/
+ /*
+ * "System" CGI modification 97.05.10 by Rick Franchuk (rickf@netnation.com)
+ *
+ * I found that while it's great to make scripts run under the UID and GID
+ * specified in httpd.conf or what /etc/passwd says is 'cool', suEXEC can
+ * really put a damper on 'System' cgi's, forcing copies of the scripts
+ * to be installed into users' home directories. That didn't seem very
+ * fitting... so I changed it so that the target UID check is disabled in
+ * a system directory #defined in suexec+.h. I hope you all find it useful.
+ *
+ * The docroot check had to be bypassed to allow functionality for VirtualHost
+ * entries. I'm somewhat suprised noone encountered that behavior before.
+ */
+ /*
+ * "FPEXE modification made on 98.05.19 by Scot Hetzel (hetzels@westbend.net)
+ * based on previous FPEXE modifications supplied by Mark Wormgoor
+ * (riddles@ipe.nl)
+ *
+ * Changes were made in order to use Suexec and Frontpage 98 at the same time.
+ * After we change to the target_uid and target_gid. We check if cmd = FPEXE,
+ * if it does then we execute the cmd without performing any further tests.
+ *
+ */
#include "conf.h"
#include <sys/param.h>
***************
*** 393,398 ****
--- 416,429 ----
}
/*
+ * We logged everything, changed to the target uid/gid, and know the
+ * user is ok. We run fpexe now and bail out before anything goes wrong.
+ */
+ #ifdef FPEXE
+ if ((strcmp(cmd, FPEXE)) != NULL) {
+ #endif
+
+ /*
* Get the current working directory, as well as the proper
* document root (dependant upon whether or not it is a
* ~userdir request). Error out if we cannot get either one,
***************
*** 423,432 ****
--- 454,468 ----
}
}
+ /*
+ * This section must be commented out to work properly with
+ * VirtualHosts running CGI in thier own directories.
+ *
if ((strncmp(cwd, dwd, strlen(dwd))) != 0) {
log_err("command not in docroot (%s/%s)\n", cwd, cmd);
exit(114);
}
+ */
/*
* Stat the cwd and verify it is a directory, or error out.
***************
*** 472,477 ****
--- 508,516 ----
* Error out if the target name/group is different from
* the name/group of the cwd or the program.
*/
+ #ifdef SYSTEM_CGI
+ if (strncmp(cwd, SYSTEM_CGI, strlen(SYSTEM_CGI))) {
+ #endif
if ((uid != dir_info.st_uid) ||
(gid != dir_info.st_gid) ||
(uid != prg_info.st_uid) ||
***************
*** 482,487 ****
--- 521,530 ----
prg_info.st_uid, prg_info.st_gid);
exit(120);
}
+ #ifdef SYSTEM_CGI
+ }
+ #endif
+
/*
* Error out if the program is not executable for the user.
* Otherwise, she won't find any error in the logs except for
***************
*** 493,498 ****
--- 536,584 ----
}
clean_env();
+
+ #ifdef FPEXE
+ }
+ else {
+
+ /* The following taken from mod_frontpage.c to check permissions */
+
+ /*
+ * We can't stat the stub dir. Make sure the stub directory is not
+ * owned by root and not group/world writable
+ */
+ if ((lstat(FPSTUBDIR, &dir_info) == -1 ||
+ dir_info.st_uid ||
+ (dir_info.st_mode & (S_IWGRP | S_IWOTH)) ||
+ (!S_ISDIR(dir_info.st_mode)))) {
+ /*
+ * User recovery: set directory to be owned by by root with
+ * permissions r*x*-x*-x.
+ */
+ log_err("Incorrect permissions on stub directory \"%-.1024s\"",
+ FPSTUBDIR);
+ exit (250);
+ }
+
+ /*
+ * We can't stat the stub. Make sure the stub is not owned by root,
+ * set-uid, set-gid, and is not group/world writable or executable.
+ */
+ if ((stat(cmd, &prg_info) == -1 ||
+ prg_info.st_uid ||
+ !(prg_info.st_mode & S_ISUID) ||
+ (prg_info.st_mode & S_ISGID) ||
+ (prg_info.st_mode & (S_IWGRP | S_IWOTH)) ||
+ !(prg_info.st_mode & (S_IXGRP | S_IXOTH)))) {
+ /*
+ * User recovery: set stub to be owned by by root with permissions
+ * r*s*-x*-x.
+ */
+ log_err("Incorrect permissions on stub \"%-.1024s\"", cmd);
+ exit (251);
+ }
+ }
+ #endif
/*
* Be sure to close the log file so the CGI can't
