665742 – www-servers/apache-2.4.34-r2: suexec-caps not working

Bug 665742 - www-servers/apache-2.4.34-r2: suexec-caps not working

Summary: www-servers/apache-2.4.34-r2: suexec-caps not working

Status:	UNCONFIRMED

Alias:	None

Product:	Gentoo Linux
Classification:	Unclassified
Component:	Current packages (show other bugs)
Hardware:	All Linux

Importance:	Normal normal
Assignee:	Apache Team - Bugzilla Reports

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2018-09-12 00:20 UTC by Manuel Mausz
Modified:	2021-04-28 19:22 UTC (History)
CC List:	1 user (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Manuel Mausz 2018-09-12 00:20:38 UTC

suexec-caps portage flag simply get's ignored.

From eclass/apache-2.eclass:
> MY_CONF+=( $(use_with suexec-caps suexec-capabilities) )

From apache configure.ac:
> AC_ARG_ENABLE([suexec-capabilities], ...

So the correct configure argument is:
> MY_CONF+=( $(use_enable suexec-caps suexec-capabilities) )

Later on in eclass/apache-2.eclass we need to set the capabilities
ourself. e.g. something like this (don't forget to inherit fcaps aswell):
>    # set some sane permissions for suexec
>    if use suexec ; then
>        fowners 0:${SUEXEC_CALLER:-apache} /usr/sbin/suexec
>        if use suexec-caps ; then
>            fcaps -o 0 -g ${SUEXEC_CALLER:-apache} -m 4710 -M 0710 cap_setuid,cap_setgid+pe usr/sbin/suexec
>        else
>            fperms 4710 /usr/sbin/suexec
>        fi
>        # provide legacy symlink for suexec, bug 177697
>        dosym /usr/sbin/suexec /usr/sbin/suexec2
>    fi

From the apache documentation:
> Note that the suexec binary may not be able to write to a log file in this mode;
> it is recommended that the --with-suexec-syslog --without-suexec-logfile options
> are used in conjunction with this mode, so that syslog logging is used instead.

So suexec-caps without suexec-syslog shouldn't be used. At least unless you want to make suexec.log world writeable. I suggest removing the default assumption for the suexec-caps flag or also adding suexec-syslog.


Reproducible: Always

Comment 1 Manuel Mausz 2018-09-12 00:31:17 UTC

Looks like fcaps eclass adds IUSE filecaps, so something like this should be better:
>        fowners 0:${SUEXEC_CALLER:-apache} /usr/sbin/suexec
>        if use suexec-caps ; then
>            fperms 0710 /usr/sbin/suexec
>            setcap cap_setuid,cap_setgid+pe "${ED%/}/usr/sbin/suexec"
>        else
>            fperms 4710 /usr/sbin/suexec
>        fi

Comment 2 Larry the Git Cow gentoo-dev

2018-09-24 11:27:37 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=7470c19b301ffe27fe8f20df46906827b3f24972

commit 7470c19b301ffe27fe8f20df46906827b3f24972
Author:     Lars Wendler <polynomial-c@gentoo.org>
AuthorDate: 2018-09-24 11:22:38 +0000
Commit:     Lars Wendler <polynomial-c@gentoo.org>
CommitDate: 2018-09-24 11:27:16 +0000

    apache2.eclass: Attempt to fix USE="suexec-caps"
    
    Bug: https://bugs.gentoo.org/665742

 eclass/apache-2.eclass | 15 +++++++++------
 1 file changed, 9 insertions(+), 6 deletions(-)

Comment 3 Manuel Mausz 2018-09-30 16:31:31 UTC

This is still not 100% fixed. The current code with suexec but without suexec-caps and suexec-log use flags results in the configure arguments: --without-suexec-syslog no

This can be fixed by encapsulating the inner usex call within double quotes. Like so:
> MY_CONF+=( $(usex suexec-syslog "$(usex suexec-caps --enable-suexec-capabilities '')" '') )

I haven't tested any other use flag combinations