Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
SUSE:SLE-12-SP1:GA
apache2-mod_nss.8802
0001-Enhance-checking-on-NSS-database-permissio...
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File 0001-Enhance-checking-on-NSS-database-permissions-to-incl.patch of Package apache2-mod_nss.8802
From f446b084ef5e6ba78238f1eed580a238222884a8 Mon Sep 17 00:00:00 2001 From: Rob Crittenden <rcritten@redhat.com> Date: Wed, 21 Sep 2016 13:43:41 -0400 Subject: [PATCH] Enhance checking on NSS database permissions to include directory Previously I was checking the NSS database files for readability but not the database directory itself. Since it starts as root if the directory permissions didn't allow read by the Apache user but the files themselves did then startup would continue but blow up due to the inability to chdir into the directory. --- nss_engine_init.c | 25 ++++++++++++++++--------- 1 file changed, 16 insertions(+), 9 deletions(-) diff --git a/nss_engine_init.c b/nss_engine_init.c index cd71989..64e5996 100644 --- a/nss_engine_init.c +++ b/nss_engine_init.c @@ -51,8 +51,7 @@ static char *version_components[] = { NULL }; -/* See if a uid or gid can read a file at a given path. Ignore world - * read permissions. +/* See if a uid or gid can read a file or directory at a given path. * * Return 0 on failure or file doesn't exist * Return 1 on success @@ -65,14 +64,14 @@ static int check_path(uid_t uid, gid_t gid, char *filepath, apr_pool_t *p) if ((rv = apr_stat(&finfo, filepath, APR_FINFO_PROT | APR_FINFO_OWNER, p)) == APR_SUCCESS) { if (((uid == finfo.user) && - ((finfo.protection & APR_FPROT_UREAD))) || + (finfo.protection & APR_FPROT_UREAD)) || ((gid == finfo.group) && - ((finfo.protection & APR_FPROT_GREAD))) + (finfo.protection & APR_FPROT_GREAD)) || + (finfo.protection & APR_FPROT_WREAD) ) { return 1; } - return 0; } return 0; } @@ -158,6 +157,11 @@ static void nss_init_SSLLibrary(server_rec *base_server, apr_pool_t *p) } } + if (strncasecmp(mc->pCertificateDatabase, "sql:", 4) == 0) + dbdir = (char *)mc->pCertificateDatabase + 4; + else + dbdir = (char *)mc->pCertificateDatabase; + /* Assuming everything is ok so far, check the cert database permissions * for the server user before Apache starts forking. We die now or * get stuck in an endless loop not able to read the NSS database. @@ -172,6 +176,13 @@ static void nss_init_SSLLibrary(server_rec *base_server, apr_pool_t *p) "Checking permissions for user %s: uid %d gid %d", mc->user, pw->pw_uid, pw->pw_gid); + if (!(check_path(pw->pw_uid, pw->pw_gid, dbdir, p))) { + ap_log_error(APLOG_MARK, APLOG_ERR, 0, base_server, + "Server user %s lacks read access to NSS " + "database directory %s.", mc->user, dbdir); + nss_die(); + } + if (strncasecmp(mc->pCertificateDatabase, "sql:", 4) == 0) { apr_snprintf(filepath, 1024, "%s/key4.db", mc->pCertificateDatabase+4); @@ -231,10 +242,6 @@ static void nss_init_SSLLibrary(server_rec *base_server, apr_pool_t *p) else return; } - if (strncasecmp(mc->pCertificateDatabase, "sql:", 4) == 0) - dbdir = (char *)mc->pCertificateDatabase + 4; - else - dbdir = (char *)mc->pCertificateDatabase; if (chdir(dbdir) != 0) { ap_log_error(APLOG_MARK, APLOG_ERR, 0, base_server, "Unable to change directory to %s", mc->pCertificateDatabase); -- 2.18.0
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor