File 0001-Enhance-checking-on-NSS-database-permissions-to-incl.patch of Package apache2-mod_nss.8802

From f446b084ef5e6ba78238f1eed580a238222884a8 Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Wed, 21 Sep 2016 13:43:41 -0400
Subject: [PATCH] Enhance checking on NSS database permissions to include
 directory

Previously I was checking the NSS database files for readability
but not the database directory itself. Since it starts as root if
the directory permissions didn't allow read by the Apache user but
the files themselves did then startup would continue but blow
up due to the inability to chdir into the directory.
---
 nss_engine_init.c | 25 ++++++++++++++++---------
 1 file changed, 16 insertions(+), 9 deletions(-)

diff --git a/nss_engine_init.c b/nss_engine_init.c
index cd71989..64e5996 100644
--- a/nss_engine_init.c
+++ b/nss_engine_init.c
@@ -51,8 +51,7 @@ static char *version_components[] = {
     NULL
 };
 
-/* See if a uid or gid can read a file at a given path. Ignore world
- * read permissions.
+/* See if a uid or gid can read a file or directory at a given path.
  *
  * Return 0 on failure or file doesn't exist
  * Return 1 on success
@@ -65,14 +64,14 @@ static int check_path(uid_t uid, gid_t gid, char *filepath, apr_pool_t *p)
     if ((rv = apr_stat(&finfo, filepath, APR_FINFO_PROT | APR_FINFO_OWNER,
          p)) == APR_SUCCESS) {
         if (((uid == finfo.user) &&
-            ((finfo.protection & APR_FPROT_UREAD))) ||
+            (finfo.protection & APR_FPROT_UREAD)) ||
             ((gid == finfo.group) &&
-                ((finfo.protection & APR_FPROT_GREAD)))
+                (finfo.protection & APR_FPROT_GREAD)) ||
+            (finfo.protection & APR_FPROT_WREAD)
            )
         {
             return 1;
         }
-        return 0;
     }
     return 0;
 }
@@ -158,6 +157,11 @@ static void nss_init_SSLLibrary(server_rec *base_server, apr_pool_t *p)
         }
     }
 
+    if (strncasecmp(mc->pCertificateDatabase, "sql:", 4) == 0)
+        dbdir = (char *)mc->pCertificateDatabase + 4;
+    else
+        dbdir = (char *)mc->pCertificateDatabase;
+
     /* Assuming everything is ok so far, check the cert database permissions
      * for the server user before Apache starts forking. We die now or
      * get stuck in an endless loop not able to read the NSS database.
@@ -172,6 +176,13 @@ static void nss_init_SSLLibrary(server_rec *base_server, apr_pool_t *p)
                 "Checking permissions for user %s: uid %d gid %d",
                 mc->user, pw->pw_uid, pw->pw_gid);
 
+            if (!(check_path(pw->pw_uid, pw->pw_gid, dbdir, p))) {
+                ap_log_error(APLOG_MARK, APLOG_ERR, 0, base_server,
+                    "Server user %s lacks read access to NSS "
+                    "database directory %s.", mc->user, dbdir);
+                nss_die();
+            }
+
             if (strncasecmp(mc->pCertificateDatabase, "sql:", 4) == 0) {
                 apr_snprintf(filepath, 1024, "%s/key4.db",
                              mc->pCertificateDatabase+4);
@@ -231,10 +242,6 @@ static void nss_init_SSLLibrary(server_rec *base_server, apr_pool_t *p)
             else
                 return;
     }
-    if (strncasecmp(mc->pCertificateDatabase, "sql:", 4) == 0)
-        dbdir = (char *)mc->pCertificateDatabase + 4;
-    else
-        dbdir = (char *)mc->pCertificateDatabase;
     if (chdir(dbdir) != 0) {
         ap_log_error(APLOG_MARK, APLOG_ERR, 0, base_server,
             "Unable to change directory to %s", mc->pCertificateDatabase);
-- 
2.18.0