From d5096a76f5b94cc48ea7aed3eece93e8d806522b Mon Sep 17 00:00:00 2001 From: Sebastian Kemper Date: Sat, 16 May 2020 14:24:03 +0200 Subject: [PATCH 1/4] apache: create log directory o= Hides away the contents of the log directory from others. Signed-off-by: Sebastian Kemper --- net/apache/files/apache2.init | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/net/apache/files/apache2.init b/net/apache/files/apache2.init index a0136c841..df2e2646e 100644 --- a/net/apache/files/apache2.init +++ b/net/apache/files/apache2.init @@ -11,7 +11,8 @@ restart() { } start() { - mkdir -p /var/log/apache2 /var/run/apache2 + mkdir -p -m 0750 /var/log/apache2 + mkdir -p /var/run/apache2 apachectl -k start } From 234fe24e4856370367d33db5f69bdab05b95e784 Mon Sep 17 00:00:00 2001 From: Sebastian Kemper Date: Sat, 16 May 2020 14:30:39 +0200 Subject: [PATCH 2/4] apache: revisit suEXEC setup When adding suEXEC to the apache package, Alpine's package [1] served as a template. Not enough attention was paid to the details. Alpine uses a different layout. So for OpenWrt to use /var/www as DocumentRoot does not make sense. /var is also volatile on OpenWrt. This commit removes the configure argument. The default is htdocsdir. This also does away with uidmin/gidmin 99. The default is 100, which is fine. Finally, the suexec binary is moved from /usr/sbin to /usr/lib/apache2/suexec_dir. Upstream recommends installing suexec with "4750" (see [2]) and the group set to the user's group. While that would be possible, it would cause a few headaches on OpenWrt. The group would need to be changed first in a post-install script and a call to chmod would need to be made afterward, to make the binary SUID again. It's easier to hide the SUID binary away from others in a directory. This way we don't need to use chmod in the post-install script. [1] https://github.com/alpinelinux/aports/tree/master/main/apache2 [2] https://httpd.apache.org/docs/2.4/suexec.html Signed-off-by: Sebastian Kemper --- net/apache/Makefile | 30 ++++++++++++++++++++++-------- 1 file changed, 22 insertions(+), 8 deletions(-) diff --git a/net/apache/Makefile b/net/apache/Makefile index 8be3e18dd..088867a9f 100644 --- a/net/apache/Makefile +++ b/net/apache/Makefile @@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk PKG_NAME:=apache PKG_VERSION:=2.4.43 -PKG_RELEASE:=1 +PKG_RELEASE:=2 PKG_SOURCE_NAME:=httpd PKG_SOURCE:=$(PKG_SOURCE_NAME)-$(PKG_VERSION).tar.bz2 @@ -264,12 +264,9 @@ endif ifneq ($(CONFIG_PACKAGE_apache-mod-suexec)$(CONFIG_PACKAGE_apache-suexec),) CONFIGURE_ARGS+= \ --enable-suexec \ - --with-suexec-bin=/usr/sbin/suexec \ + --with-suexec-bin=/usr/lib/apache2/suexec_dir/suexec \ --with-suexec-caller=apache \ - --with-suexec-docroot=/var/www \ - --with-suexec-logfile=/var/log/apache2/suexec.log \ - --with-suexec-uidmin=99 \ - --with-suexec-gidmin=99 + --with-suexec-logfile=/var/log/apache2/suexec.log else CONFIGURE_ARGS+= \ --disable-suexec @@ -349,8 +346,9 @@ define Package/apache-icons/install endef define Package/apache-suexec/install - $(INSTALL_DIR) $(1)/usr/sbin - $(CP) $(PKG_INSTALL_DIR)/usr/sbin/suexec $(1)/usr/sbin + $(INSTALL_DIR) -m0750 $(1)/usr/lib/apache2/suexec_dir + $(INSTALL_SUID) $(PKG_INSTALL_DIR)/usr/sbin/suexec \ + $(1)/usr/lib/apache2/suexec_dir endef define Package/apache-utils/install @@ -360,6 +358,22 @@ define Package/apache-utils/install $(1)/usr/sbin endef +# Directory "suexec_dir" is installed with '-m0750' above and contains +# SUID binary "suexec". Below post-install script changes the group of +# "suexec_dir" to apache, so user apache can access the folder (and the +# SUID binary). The script only changes the group if the directory is +# currently owned by "root:root". +define Package/apache-suexec/postinst +#!/bin/sh +if [ -z "$${IPKG_INSTROOT}" ]; then + dir="/usr/lib/apache2/suexec_dir" + if ! [ -L "$$dir" ] && [ -d "$$dir" ] && [ -O "$$dir" ] && [ -G "$$dir" ]; then + chown :apache "$$dir" + fi +fi +exit 0 +endef + define Package/apache/Module define Package/apache-mod-$(1) $(call Package/apache/Default) From 61f3bd507c4688f031e710b847fa0f0767bda6b1 Mon Sep 17 00:00:00 2001 From: Sebastian Kemper Date: Wed, 8 Jul 2020 18:28:32 +0200 Subject: [PATCH 3/4] apache/apr/apr-util: remove maintainer Signed-off-by: Sebastian Kemper --- libs/apr-util/Makefile | 3 +-- libs/apr/Makefile | 3 +-- net/apache/Makefile | 3 +-- 3 files changed, 3 insertions(+), 6 deletions(-) diff --git a/libs/apr-util/Makefile b/libs/apr-util/Makefile index 0a0e12eaf..8938acd98 100644 --- a/libs/apr-util/Makefile +++ b/libs/apr-util/Makefile @@ -14,8 +14,7 @@ PKG_RELEASE:=2 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.bz2 PKG_SOURCE_URL:=@APACHE/apr/ PKG_HASH:=d3e12f7b6ad12687572a3a39475545a072608f4ba03a6ce8a3778f607dd0035b -PKG_MAINTAINER:=Thomas Heil , \ - Sebastian Kemper +PKG_MAINTAINER:=Thomas Heil PKG_LICENSE:=Apache-2.0 PKG_LICENSE_FILES:=LICENSE diff --git a/libs/apr/Makefile b/libs/apr/Makefile index 41cf7b774..034a4e8f8 100644 --- a/libs/apr/Makefile +++ b/libs/apr/Makefile @@ -15,8 +15,7 @@ PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.bz2 PKG_SOURCE_URL:=@APACHE/apr/ PKG_HASH:=e2e148f0b2e99b8e5c6caa09f6d4fb4dd3e83f744aa72a952f94f5a14436f7ea -PKG_MAINTAINER:=Thomas Heil , \ - Sebastian Kemper +PKG_MAINTAINER:=Thomas Heil PKG_LICENSE:=Apache-2.0 PKG_LICENSE_FILES:=LICENSE diff --git a/net/apache/Makefile b/net/apache/Makefile index 088867a9f..012f53ea4 100644 --- a/net/apache/Makefile +++ b/net/apache/Makefile @@ -18,8 +18,7 @@ PKG_HASH:=a497652ab3fc81318cdc2a203090a999150d86461acff97c1065dc910fe10f43 PKG_BUILD_DIR:=$(BUILD_DIR)/$(PKG_SOURCE_NAME)-$(PKG_VERSION) -PKG_MAINTAINER:=Thomas Heil , \ - Sebastian Kemper +PKG_MAINTAINER:=Thomas Heil PKG_LICENSE:=Apache-2.0 PKG_LICENSE_FILES:=LICENSE From f5a57e42ca6f59ccac963a019ea6275642a1ffb2 Mon Sep 17 00:00:00 2001 From: Sebastian Kemper Date: Sat, 8 Aug 2020 16:15:43 +0200 Subject: [PATCH 4/4] apache: security bump to 2.4.46 From CHANGES_2.4: SECURITY: CVE-2020-11984 (cve.mitre.org) mod_proxy_uwsgi: Malicious request may result in information disclosure or RCE of existing file on the server running under a malicious process environment. [Yann Ylavic] SECURITY: CVE-2020-11993 (cve.mitre.org) mod_http2: when throttling connection requests, log statements where possibly made that result in concurrent, unsafe use of a memory pool. [Stefan Eissing] SECURITY: mod_http2: a specially crafted value for the 'Cache-Digest' header request would result in a crash when the server actually tries to HTTP/2 PUSH a resource afterwards. [Stefan Eissing, Eric Covener, Christophe Jaillet] Signed-off-by: Sebastian Kemper --- net/apache/Makefile | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/net/apache/Makefile b/net/apache/Makefile index 012f53ea4..c6bc29d49 100644 --- a/net/apache/Makefile +++ b/net/apache/Makefile @@ -8,13 +8,13 @@ include $(TOPDIR)/rules.mk PKG_NAME:=apache -PKG_VERSION:=2.4.43 -PKG_RELEASE:=2 +PKG_VERSION:=2.4.46 +PKG_RELEASE:=1 PKG_SOURCE_NAME:=httpd PKG_SOURCE:=$(PKG_SOURCE_NAME)-$(PKG_VERSION).tar.bz2 PKG_SOURCE_URL:=@APACHE/httpd/ -PKG_HASH:=a497652ab3fc81318cdc2a203090a999150d86461acff97c1065dc910fe10f43 +PKG_HASH:=740eddf6e1c641992b22359cabc66e6325868c3c5e2e3f98faf349b61ecf41ea PKG_BUILD_DIR:=$(BUILD_DIR)/$(PKG_SOURCE_NAME)-$(PKG_VERSION)