Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
SUSE:SLE-12-SP1:GA
apache2-mod_nss.8802
0001-Handle-group-membership-when-testing-for-f...
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File 0001-Handle-group-membership-when-testing-for-file-permis.patch of Package apache2-mod_nss.8802
From 665a696088324176b7902d6338171078e6d37318 Mon Sep 17 00:00:00 2001 From: Rob Crittenden <rcritten@redhat.com> Date: Thu, 23 Feb 2017 13:06:21 -0500 Subject: [PATCH] Handle group membership when testing for file permissions This was a bit of a corner case but group membership wasn't considered when trying to determine if the NSS databases are readable. Resolves BZ 1395300 --- nss_engine_init.c | 45 +++++++++++++++++++++++++++++++++------------ 1 file changed, 33 insertions(+), 12 deletions(-) Index: mod_nss-1.0.14/nss_engine_init.c =================================================================== --- mod_nss-1.0.14.orig/nss_engine_init.c 2018-09-18 14:43:20.662246062 +0200 +++ mod_nss-1.0.14/nss_engine_init.c 2018-09-18 14:43:23.282261233 +0200 @@ -29,6 +29,7 @@ #include "cert.h" #include <sys/types.h> #include <pwd.h> +#include <grp.h> static SECStatus ownBadCertHandler(void *arg, PRFileDesc * socket); static SECStatus ownHandshakeCallback(PRFileDesc * socket, void *arg); @@ -56,17 +57,33 @@ static char *version_components[] = { * Return 0 on failure or file doesn't exist * Return 1 on success */ -static int check_path(uid_t uid, gid_t gid, char *filepath, apr_pool_t *p) +static int check_path(const char *user, uid_t uid, gid_t gid, char *filepath, + apr_pool_t *p) { apr_finfo_t finfo; - int rv; + PRBool in_group = PR_FALSE; + struct group *gr; + int i = 0; + + if ((apr_stat(&finfo, filepath, APR_FINFO_PROT | APR_FINFO_OWNER, p)) + == APR_SUCCESS) { + if ((gr = getgrgid(finfo.group)) == NULL) { + return 0; + } - if ((rv = apr_stat(&finfo, filepath, APR_FINFO_PROT | APR_FINFO_OWNER, - p)) == APR_SUCCESS) { + if (gid == finfo.group) { + in_group = PR_TRUE; + } else { + while ((gr->gr_mem != NULL) && (gr->gr_mem[i] != NULL)) { + if (!strcasecmp(user, gr->gr_mem[i++])) { + in_group = PR_TRUE; + break; + } + } + } if (((uid == finfo.user) && (finfo.protection & APR_FPROT_UREAD)) || - ((gid == finfo.group) && - (finfo.protection & APR_FPROT_GREAD)) || + (in_group && (finfo.protection & APR_FPROT_GREAD)) || (finfo.protection & APR_FPROT_WREAD) ) { @@ -176,7 +193,7 @@ static void nss_init_SSLLibrary(server_r "Checking permissions for user %s: uid %d gid %d", mc->user, pw->pw_uid, pw->pw_gid); - if (!(check_path(pw->pw_uid, pw->pw_gid, dbdir, p))) { + if (!(check_path(mc->user, pw->pw_uid, pw->pw_gid, dbdir, p))) { ap_log_error(APLOG_MARK, APLOG_ERR, 0, base_server, "Server user %s lacks read access to NSS " "database directory %s.", mc->user, dbdir); @@ -186,7 +203,8 @@ static void nss_init_SSLLibrary(server_r if (strncasecmp(mc->pCertificateDatabase, "sql:", 4) == 0) { apr_snprintf(filepath, 1024, "%s/key4.db", mc->pCertificateDatabase+4); - if (!(check_path(pw->pw_uid, pw->pw_gid, filepath, p))) { + if (!(check_path(mc->user, pw->pw_uid, pw->pw_gid, filepath, + p))) { ap_log_error(APLOG_MARK, APLOG_ERR, 0, base_server, "Server user %s lacks read access to NSS key " "database %s.", mc->user, filepath); @@ -194,7 +212,8 @@ static void nss_init_SSLLibrary(server_r } apr_snprintf(filepath, 1024, "%s/cert9.db", mc->pCertificateDatabase+4); - if (!(check_path(pw->pw_uid, pw->pw_gid, filepath, p))) { + if (!(check_path(mc->user, pw->pw_uid, pw->pw_gid, filepath, + p))) { ap_log_error(APLOG_MARK, APLOG_ERR, 0, base_server, "Server user %s lacks read access to NSS cert " "database %s.", mc->user, filepath); @@ -203,7 +222,8 @@ static void nss_init_SSLLibrary(server_r } else { apr_snprintf(filepath, 1024, "%s/key3.db", mc->pCertificateDatabase); - if (!(check_path(pw->pw_uid, pw->pw_gid, filepath, p))) { + if (!(check_path(mc->user, pw->pw_uid, pw->pw_gid, filepath, + p))) { ap_log_error(APLOG_MARK, APLOG_ERR, 0, base_server, "Server user %s lacks read access to NSS key " "database %s.", mc->user, filepath); @@ -211,7 +231,8 @@ static void nss_init_SSLLibrary(server_r } apr_snprintf(filepath, 1024, "%s/cert8.db", mc->pCertificateDatabase); - if (!(check_path(pw->pw_uid, pw->pw_gid, filepath, p))) { + if (!(check_path(mc->user, pw->pw_uid, pw->pw_gid, filepath, + p))) { ap_log_error(APLOG_MARK, APLOG_ERR, 0, base_server, "Server user %s lacks read access to NSS cert " "database %s.", mc->user, filepath); @@ -219,7 +240,7 @@ static void nss_init_SSLLibrary(server_r } apr_snprintf(filepath, 1024, "%s/secmod.db", mc->pCertificateDatabase); - if (!(check_path(pw->pw_uid, pw->pw_gid, filepath, p))) { + if (!(check_path(mc->user, pw->pw_uid, pw->pw_gid, filepath, p))) { ap_log_error(APLOG_MARK, APLOG_ERR, 0, base_server, "Server user %s lacks read access to NSS secmod " "database %s.", mc->user, filepath);
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor