apache: revisit suEXEC setup
authorSebastian Kemper <sebastian_ml@gmx.net>
Sat, 16 May 2020 12:30:39 +0000 (14:30 +0200)
committerSebastian Kemper <sebastian_ml@gmx.net>
Sat, 16 May 2020 12:47:37 +0000 (14:47 +0200)
When adding suEXEC to the apache package, Alpine's package [1] served as
a template. Not enough attention was paid to the details.

Alpine uses a different layout. So for OpenWrt to use /var/www as
DocumentRoot does not make sense. /var is also volatile on OpenWrt. This
commit removes the configure argument. The default is htdocsdir.

This also does away with uidmin/gidmin 99. The default is 100, which is
fine.

Finally, the suexec binary is moved from /usr/sbin to
/usr/lib/apache2/suexec_dir. Upstream recommends installing suexec with
"4750" (see [2]) and the group set to the user's group. While that would
be possible, it would cause a few headaches on OpenWrt. The group would
need to be changed first in a post-install script and a call to chmod
would need to be made afterward, to make the binary SUID again.

It's easier to hide the SUID binary away from others in a directory.
This way we don't need to use chmod in the post-install script.

[1] https://github.com/alpinelinux/aports/tree/master/main/apache2
[2] https://httpd.apache.org/docs/2.4/suexec.html

Signed-off-by: Sebastian Kemper <sebastian_ml@gmx.net>
net/apache/Makefile

index 4547002a93bffd1511840ab29c8e30483ea7b664..8efcb77fac6959ef5d1575c08a2e9815245f36be 100644 (file)
@@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk
 
 PKG_NAME:=apache
 PKG_VERSION:=2.4.43
-PKG_RELEASE:=1
+PKG_RELEASE:=2
 PKG_SOURCE_NAME:=httpd
 
 PKG_SOURCE:=$(PKG_SOURCE_NAME)-$(PKG_VERSION).tar.bz2
@@ -246,12 +246,9 @@ endif
 ifneq ($(CONFIG_PACKAGE_apache-mod-suexec)$(CONFIG_PACKAGE_apache-suexec),)
 CONFIGURE_ARGS+= \
        --enable-suexec \
-       --with-suexec-bin=/usr/sbin/suexec \
+       --with-suexec-bin=/usr/lib/apache2/suexec_dir/suexec \
        --with-suexec-caller=apache \
-       --with-suexec-docroot=/var/www \
-       --with-suexec-logfile=/var/log/apache2/suexec.log \
-       --with-suexec-uidmin=99 \
-       --with-suexec-gidmin=99
+       --with-suexec-logfile=/var/log/apache2/suexec.log
 else
 CONFIGURE_ARGS+= \
        --disable-suexec
@@ -331,8 +328,9 @@ define Package/apache-icons/install
 endef
 
 define Package/apache-suexec/install
-       $(INSTALL_DIR) $(1)/usr/sbin
-       $(CP) $(PKG_INSTALL_DIR)/usr/sbin/suexec $(1)/usr/sbin
+       $(INSTALL_DIR) -m0750 $(1)/usr/lib/apache2/suexec_dir
+       $(INSTALL_SUID) $(PKG_INSTALL_DIR)/usr/sbin/suexec \
+                       $(1)/usr/lib/apache2/suexec_dir
 endef
 
 define Package/apache-utils/install
@@ -342,6 +340,22 @@ define Package/apache-utils/install
                                                                        $(1)/usr/sbin
 endef
 
+# Directory "suexec_dir" is installed with '-m0750' above and contains
+# SUID binary "suexec". Below post-install script changes the group of
+# "suexec_dir" to apache, so user apache can access the folder (and the
+# SUID binary). The script only changes the group if the directory is
+# currently owned by "root:root".
+define Package/apache-suexec/postinst
+#!/bin/sh
+if [ -z "$${IPKG_INSTROOT}" ]; then
+  dir="/usr/lib/apache2/suexec_dir"
+  if ! [ -L "$$dir" ] && [ -d "$$dir" ] && [ -O "$$dir" ] && [ -G "$$dir" ]; then
+    chown :apache "$$dir"
+  fi
+fi
+exit 0
+endef
+
 define Package/apache/Module
 define Package/apache-mod-$(1)
 $(call Package/apache/Default)