[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#262359: marked as done (apache: ChrootDir feature patch would be nice)

Your message dated Wed, 16 Sep 2009 21:32:49 +0100
with message-id <1253133169.066960.3691.nullmailer@kmos.homeip.net>
and subject line Package apache has been removed from Debian
has caused the Debian Bug report #262359,
regarding apache: ChrootDir feature patch would be nice
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
262359: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=262359
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: apache
Severity: wishlist
Tags: patch

The attached patch adds the ChrootDir directive to the configuration,
which allows the server to chroot(2) into the specified directory upon
serving requests.

-- System Information:
Debian Release: 3.1
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: i386 (i686)
Kernel: Linux 2.4.26-omoikane.4
Locale: LANG=C, LC_CTYPE=C

diff -urN build-tree-apache/apache_1.3.31.orig/conf/httpd.conf-dist build-tree-apache/apache_1.3.31/conf/httpd.conf-dist
--- build-tree-apache/apache_1.3.31.orig/conf/httpd.conf-dist	2004-02-19 10:13:11.000000000 -0800
+++ build-tree-apache/apache_1.3.31/conf/httpd.conf-dist	2004-07-30 11:30:13.000000000 -0700
@@ -59,6 +59,14 @@
 ServerRoot "@@ServerRoot@@"
 
 #
+# ChrootDir: The directory to chroot to
+#
+# NOTE: When using this all directory/file references in DocumentRoot,
+# <Directory> and <Files> should be relative to this ChrootDir!
+#
+#ChrootDir "@@ServerRoot@@/htdocs"
+
+#
 # The LockFile directive sets the path to the lockfile used when Apache
 # is compiled with either USE_FCNTL_SERIALIZED_ACCEPT or
 # USE_FLOCK_SERIALIZED_ACCEPT. This directive should normally be left at
diff -urN build-tree-apache/apache_1.3.31.orig/src/include/http_conf_globals.h build-tree-apache/apache_1.3.31/src/include/http_conf_globals.h
--- build-tree-apache/apache_1.3.31.orig/src/include/http_conf_globals.h	2004-07-30 11:28:39.000000000 -0700
+++ build-tree-apache/apache_1.3.31/src/include/http_conf_globals.h	2004-07-30 11:31:06.000000000 -0700
@@ -77,6 +77,7 @@
 
 extern API_VAR_EXPORT char ap_server_root[MAX_STRING_LEN];
 extern API_VAR_EXPORT char ap_server_confname[MAX_STRING_LEN];
+extern API_VAR_EXPORT char ap_chroot_dir[MAX_STRING_LEN];
 
 /* for -C, -c and -D switches */
 extern API_VAR_EXPORT array_header *ap_server_pre_read_config;
diff -urN build-tree-apache/apache_1.3.31.orig/src/main/http_core.c build-tree-apache/apache_1.3.31/src/main/http_core.c
--- build-tree-apache/apache_1.3.31.orig/src/main/http_core.c	2004-07-30 11:28:29.000000000 -0700
+++ build-tree-apache/apache_1.3.31/src/main/http_core.c	2004-07-30 11:33:51.000000000 -0700
@@ -2212,6 +2212,31 @@
     return NULL;
 }
 
+static const char *set_chroot_dir(cmd_parms *cmd, void *dummy, char *arg)
+{
+    const char *err = ap_check_cmd_context(cmd, GLOBAL_ONLY);
+
+    if (err != NULL) {
+        return err;
+    }
+
+    arg = ap_os_canonical_filename(cmd->pool, arg);
+
+    if (!ap_is_directory(arg)) {
+        return "ChrootDir must be a valid directory";
+    }
+    /* ChrootDir is never '/' terminated */
+    while (strlen(ap_chroot_dir) > 1 && ap_chroot_dir[strlen(ap_chroot_dir)-1] == '/')
+        ap_chroot_dir[strlen(ap_chroot_dir)-1] = '\0';
+    ap_cpystrn(ap_chroot_dir, arg,
+              sizeof(ap_chroot_dir));
+
+    /* XXX: after ChrootDir we cannot check DocumentRoot easily */
+    ap_docrootcheck = 0;
+
+    return NULL;
+}
+
 static const char *set_timeout(cmd_parms *cmd, void *dummy, char *arg)
 {
     const char *err = ap_check_cmd_context(cmd, NOT_IN_DIR_LOC_FILE|NOT_IN_LIMIT);
@@ -3530,6 +3555,8 @@
   "En-/disable server signature (on|off|email)" },
 { "ServerRoot", set_server_root, NULL, RSRC_CONF, TAKE1,
   "Common directory of server-related files (logs, confs, etc.)" },
+{ "ChrootDir", set_chroot_dir, NULL, RSRC_CONF, TAKE1,
+  "The directory to chroot(2) into" },
 { "ErrorLog", set_server_string_slot,
   (void *)XtOffsetOf (server_rec, error_fname), RSRC_CONF, TAKE1,
   "The filename of the error log" },
diff -urN build-tree-apache/apache_1.3.31.orig/src/main/http_main.c build-tree-apache/apache_1.3.31/src/main/http_main.c
--- build-tree-apache/apache_1.3.31.orig/src/main/http_main.c	2004-07-30 11:28:39.000000000 -0700
+++ build-tree-apache/apache_1.3.31/src/main/http_main.c	2004-07-30 11:37:07.000000000 -0700
@@ -275,6 +275,7 @@
 
 API_VAR_EXPORT char ap_server_root[MAX_STRING_LEN]="";
 API_VAR_EXPORT char ap_server_confname[MAX_STRING_LEN]="";
+API_VAR_EXPORT char ap_chroot_dir[MAX_STRING_LEN]="";
 API_VAR_EXPORT char ap_coredump_dir[MAX_STRING_LEN]="";
 int ap_coredump_dir_configured=0;
 
@@ -4466,6 +4467,30 @@
     }
     GETUSERMODE();
 #else
+
+    if (ap_chroot_dir[0] != '\0') {
+       if (!ap_standalone) {
+           ap_log_error(APLOG_MARK, APLOG_ALERT, server_conf,
+                        "Cannot chroot when not in standalone mode");
+           exit(1);
+       }
+       if (geteuid()) {
+           ap_log_error(APLOG_MARK, APLOG_ALERT, server_conf,
+                        "Cannot chroot when not started as root");
+           exit(1);
+       }
+       if (chdir(ap_chroot_dir)) {
+           ap_log_error(APLOG_MARK, APLOG_ALERT, server_conf,
+                        "Unable to chdir to %s", ap_chroot_dir);
+           exit(1);
+       }
+       if (chroot(ap_chroot_dir)) {
+           ap_log_error(APLOG_MARK, APLOG_ALERT, server_conf,
+                        "Unable to chroot to %s", ap_chroot_dir);
+           exit(1);
+       }
+    }
+
     /* 
      * Only try to switch if we're running as root
      * In case of Cygwin we have the special super-user named SYSTEM
@@ -5419,6 +5444,10 @@
 	ap_log_error(APLOG_MARK, APLOG_NOERRNO|APLOG_NOTICE, server_conf,
 		    "Accept mutex: %s (Default: %s)",
 		     amutex->name, ap_default_mutex_method());
+        if (ap_chroot_dir[0] != '\0') {
+            ap_log_error(APLOG_MARK, APLOG_NOERRNO|APLOG_NOTICE, server_conf,
+                         "Chroot directory: %s", ap_chroot_dir);
+        }
 	restart_pending = shutdown_pending = 0;
 
 	while (!restart_pending && !shutdown_pending) {
diff -urN build-tree-apache/apache_1.3.31.orig/src/main/http_request.c build-tree-apache/apache_1.3.31/src/main/http_request.c
--- build-tree-apache/apache_1.3.31.orig/src/main/http_request.c	2004-07-30 11:28:39.000000000 -0700
+++ build-tree-apache/apache_1.3.31/src/main/http_request.c	2004-07-30 11:37:58.000000000 -0700
@@ -181,7 +181,10 @@
         /* Advance over trailing slashes ... NOT part of filename 
          * if file is not a UNC name (Win32 only).
          */
-        for (cp = end; cp > path && cp[-1] == '/'; --cp)
+        /* XXX: we need path+1 instead of path here to handle the case
+         *      of path = "/" (this can happen when using ChrootDir)
+         */
+        for (cp = end; cp > path+1 && cp[-1] == '/'; --cp)
             continue;
 
     while (cp > path) {

--- End Message ---
--- Begin Message --- 
Version: 1.3.34-4.1+rm

You filled the bug http://bugs.debian.org/262359 in Debian BTS
against the package apache. I'm closing it at *unstable*, but it will
remain open for older distributions.

For more information about this package's removal, read
http://bugs.debian.org/418266. That bug might give the reasons why
this package was removed and suggestions of possible replacements.

Don't hesitate to reply to this mail if you have any question.

Thank you for your contribution to Debian.

--
Marco Rodrigues

--- End Message ---
Reply to: