File 0014-Add-SymlinkProtect-and-SymlinkProtectRoot-... of Package ea-apache2

Overview Repositories Revisions Requests Users Attributes Meta

File 0014-Add-SymlinkProtect-and-SymlinkProtectRoot-functional.patch of Package ea-apache2

From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Cory McIntire <cory@cpanel.net>
Date: Thu, 12 Jul 2018 15:50:51 -0500
Subject: [PATCH 14/21] Add SymlinkProtect and SymlinkProtectRoot functionality

---
 include/http_core.h             |  10 +++-
 modules/mappers/mod_userdir.c   |  31 +++++++---
 modules/mappers/mod_userdir.dep |   1 +
 server/core.c                   | 103 ++++++++++++++++++++++++++++++++
 4 files changed, 135 insertions(+), 10 deletions(-)

diff --git a/include/http_core.h b/include/http_core.h
index 948034f..8673506 100644
--- a/include/http_core.h
+++ b/include/http_core.h
@@ -509,7 +509,7 @@ typedef unsigned long etag_components_t;
 #define AP_CORE_MERGE_FLAG(field, to, base, over) to->field = \
                over->field != AP_CORE_CONFIG_UNSET            \
                ? over->field                                  \
-               : base->field                                   
+               : base->field
 
 /**
  * @brief Server Signature Enumeration
@@ -672,7 +672,7 @@ typedef struct {
 #define AP_CGI_PASS_AUTH_UNSET   (2)
     /** CGIPassAuth: Whether HTTP authorization headers will be passed to
      * scripts as CGI variables; affects all modules calling
-     * ap_add_common_vars(), as well as any others using this field as 
+     * ap_add_common_vars(), as well as any others using this field as
      * advice
      */
     unsigned int cgi_pass_auth : 2;
@@ -752,6 +752,12 @@ typedef struct {
 #define AP_HTTP_METHODS_REGISTERED    2
     char http_methods;
     unsigned int merge_slashes;
+    /* symlink protection */
+#define AP_SYMLINK_PROTECT_UNSET   0
+#define AP_SYMLINK_PROTECT_ENABLE  1
+#define AP_SYMLINK_PROTECT_DISABLE 2
+    int symlink_protect;
+    const char *symlink_protect_root;
  
     apr_size_t   flush_max_threshold;
     apr_int32_t  flush_max_pipelined;
diff --git a/modules/mappers/mod_userdir.c b/modules/mappers/mod_userdir.c
index 1ec0e90..6a0f44d 100644
--- a/modules/mappers/mod_userdir.c
+++ b/modules/mappers/mod_userdir.c
@@ -51,6 +51,7 @@
 
 #include "apr_strings.h"
 #include "apr_user.h"
+#include "apr_env.h"
 
 #define APR_WANT_STRFUNC
 #include "apr_want.h"
@@ -62,7 +63,9 @@
 #include "ap_config.h"
 #include "httpd.h"
 #include "http_config.h"
+#include "http_core.h"
 #include "http_request.h"
+#include "http_log.h"
 
 #if !defined(WIN32) && !defined(OS2) && !defined(NETWARE)
 #define HAVE_UNIX_SUEXEC
@@ -203,6 +206,7 @@ static int translate_userdir(request_rec *r)
     const char *user, *dname;
     char *redirect;
     apr_finfo_t statbuf;
+    core_server_config *sconf;
 
     /*
      * If the URI doesn't match our basic pattern, we've nothing to do with
@@ -259,6 +263,8 @@ static int translate_userdir(request_rec *r)
      * Special cases all checked, onward to normal substitution processing.
      */
 
+    sconf = ap_get_core_module_config(server_conf);
+
     while (*userdirs) {
         const char *userdir = ap_getword_conf(r->pool, &userdirs);
         char *filename = NULL, *prefix = NULL;
@@ -313,18 +319,20 @@ static int translate_userdir(request_rec *r)
         }
 
         /*
-         * Now see if it exists, or we're at the last entry. If we are at the
-         * last entry, then use the filename generated (if there is one)
-         * anyway, in the hope that some handler might handle it. This can be
-         * used, for example, to run a CGI script for the user.
-         */
+        * Now see if it exists, or we're at the last entry. If we are at the
+        * last entry, then use the filename generated (if there is one)
+        * anyway, in the hope that some handler might handle it. This can be
+        * used, for example, to run a CGI script for the user.
+        */
         if (filename && (!*userdirs
-                      || ((rv = apr_stat(&statbuf, filename, APR_FINFO_MIN,
+                      || ((rv = apr_stat(&statbuf, filename, (
+                           sconf->symlink_protect == AP_SYMLINK_PROTECT_ENABLE) ?
+                               APR_FINFO_NORM :
+                               APR_FINFO_MIN,
                                          r->pool)) == APR_SUCCESS
                                              || rv == APR_INCOMPLETE))) {
             r->filename = apr_pstrcat(r->pool, filename, dname, NULL);
-            ap_set_context_info(r, apr_pstrmemdup(r->pool, r->uri,
-                                                  dname - r->uri),
+            ap_set_context_info(r, apr_pstrmemdup(r->pool, r->uri, dname - r->uri),
                                 filename);
             /* XXX: Does this walk us around FollowSymLink rules?
              * When statbuf contains info on r->filename we can save a syscall
@@ -333,6 +341,13 @@ static int translate_userdir(request_rec *r)
             if (*userdirs && dname[0] == 0)
                 r->finfo = statbuf;
 
+            /* This is used later on to make sure the symlink exploit is not
+             * exploitable.
+             */
+            if (sconf->symlink_protect == AP_SYMLINK_PROTECT_ENABLE) {
+                apr_table_set(r->subprocess_env, "SPT_DOCROOT", filename);
+            }
+
             /* For use in the get_suexec_identity phase */
             apr_table_setn(r->notes, "mod_userdir_user", user);
 
diff --git a/modules/mappers/mod_userdir.dep b/modules/mappers/mod_userdir.dep
index 2aff834..fa229b1 100644
--- a/modules/mappers/mod_userdir.dep
+++ b/modules/mappers/mod_userdir.dep
@@ -12,6 +12,7 @@
 	"..\..\include\ap_regex.h"\
 	"..\..\include\ap_release.h"\
 	"..\..\include\apache_noprobes.h"\
+	"..\..\include\http_core.h"\
 	"..\..\include\http_config.h"\
 	"..\..\include\http_request.h"\
 	"..\..\include\httpd.h"\
diff --git a/server/core.c b/server/core.c
index 81f145f..4ee8905 100644
--- a/server/core.c
+++ b/server/core.c
@@ -21,6 +21,8 @@
 #include "apr_hash.h"
 #include "apr_thread_proc.h"    /* for RLIMIT stuff */
 #include "apr_random.h"
+#include "apr_env.h"
+#include "apr_file_io.h"
 
 #include "apr_version.h"
 #if APR_MAJOR_VERSION < 2
@@ -479,6 +481,7 @@ static void *create_core_server_config(apr_pool_t *a, server_rec *s)
 
     if (!is_virtual) {
         conf->ap_document_root = DOCUMENT_LOCATION;
+        conf->symlink_protect_root = "/var/www/html";
         conf->access_name = DEFAULT_ACCESS_FNAME;
 
         /* A mapping only makes sense in the global context */
@@ -543,6 +546,9 @@ static void *merge_core_server_configs(apr_pool_t *p, void *basev, void *virtv)
     if (virt->ap_document_root)
         conf->ap_document_root = virt->ap_document_root;
 
+    if (virt->symlink_protect_root)
+        conf->symlink_protect_root = virt->symlink_protect_root;
+
     if (virt->access_name)
         conf->access_name = virt->access_name;
 
@@ -589,6 +595,10 @@ static void *merge_core_server_configs(apr_pool_t *p, void *basev, void *virtv)
                            ? virt->merge_trailers
                            : base->merge_trailers;
 
+    conf->symlink_protect = (virt->symlink_protect != AP_SYMLINK_PROTECT_UNSET)
+                            ? virt->symlink_protect
+                            : base->symlink_protect;
+
     conf->protocols = ((virt->protocols->nelts > 0)? 
                        virt->protocols : base->protocols);
     conf->protocols_honor_order = ((virt->protocols_honor_order < 0)?
@@ -4430,6 +4440,30 @@ static const char *set_merge_trailers(cmd_parms *cmd, void *dummy, int arg)
     return NULL;
 }
 
+static const char *set_symlink_protect(cmd_parms *cmd, void *dummy, int arg)
+{
+    core_server_config *conf = ap_get_module_config(cmd->server->module_config,
+                                                    &core_module);
+    conf->symlink_protect = (arg ? AP_SYMLINK_PROTECT_ENABLE :
+                             AP_SYMLINK_PROTECT_DISABLE);
+    return NULL;
+}
+
+static const char *set_symlink_protect_root(cmd_parms *cmd, void *dummy,
+                                     const char *arg)
+{
+    char* value;
+    core_server_config *conf = ap_get_module_config(cmd->server->module_config,
+                                                    &core_module);
+    if (arg == NULL) {
+        return "SymlinkProtectRoot must have a value";
+    }
+    value = apr_pstrdup(cmd->pool, arg);
+    conf->symlink_protect_root = value;
+
+    return NULL;
+}
+
 /* Note --- ErrorDocument will now work from .htaccess files.
  * The AllowOverride of Fileinfo allows webmasters to turn it off
  */
@@ -4707,6 +4741,10 @@ AP_INIT_TAKE1("ThreadStackSize", ap_mpm_set_thread_stacksize, NULL, RSRC_CONF,
 AP_INIT_TAKE1("EnableExceptionHook", ap_mpm_set_exception_hook, NULL, RSRC_CONF,
               "Controls whether exception hook may be called after a crash"),
 #endif
+AP_INIT_FLAG("SymlinkProtect", set_symlink_protect, NULL, RSRC_CONF,
+             "Controls whether symlink protection will be active or not"),
+AP_INIT_TAKE1("SymlinkProtectRoot", set_symlink_protect_root, NULL, RSRC_CONF,
+             "Root directory of the symlink protect algorithm"),
 AP_INIT_TAKE1("TraceEnable", set_trace_enable, NULL, RSRC_CONF,
               "'on' (default), 'off' or 'extended' to trace request body content"),
 AP_INIT_FLAG("MergeTrailers", set_merge_trailers, NULL, RSRC_CONF,
@@ -4872,6 +4910,9 @@ static int default_handler(request_rec *r)
     int errstatus;
     apr_file_t *fd = NULL;
     apr_status_t status;
+    core_server_config *csconf;
+    apr_finfo_t post_open_dirstat;
+    apr_finfo_t post_open_finfo;
     /* XXX if/when somebody writes a content-md5 filter we either need to
      *     remove this support or coordinate when to use the filter vs.
      *     when to use this code
@@ -4882,6 +4923,13 @@ static int default_handler(request_rec *r)
     int bld_content_md5;
 
     d = (core_dir_config *)ap_get_core_module_config(r->per_dir_config);
+
+    /* must fetch global configuration.  First to determine if we are
+     * going to apply symlink protection, and second to check the document
+     * root user against the open file user if using symlink protection.
+     */
+    csconf = ap_get_module_config(r->server->module_config, &core_module);
+
     bld_content_md5 = (d->content_md5 == AP_CONTENT_MD5_ON)
                       && r->output_filters->frec->ftype != AP_FTYPE_RESOURCE;
 
@@ -4955,6 +5003,61 @@ static int default_handler(request_rec *r)
             return HTTP_FORBIDDEN;
         }
 
+        if (csconf->symlink_protect == AP_SYMLINK_PROTECT_ENABLE) {
+            /* This is where the magic is. If a user is trying to hit the apache
+             * symlink race condition, then we will know about it here.
+             */
+
+            const char *sp_docroot = apr_table_get(r->subprocess_env, "SPT_DOCROOT");
+            apr_status_t post_dirstat_rv;
+            apr_status_t post_fdstat_rv;
+
+            if (strcmp(csconf->ap_document_root, csconf->symlink_protect_root) == 0
+                && sp_docroot != NULL) {
+                /* This request is from mod_userdir. We need to stat what was stored in SPT_DOCROOT. */
+                post_dirstat_rv = apr_stat(&post_open_dirstat, sp_docroot,
+                                           APR_FINFO_USER | APR_FINFO_LINK, r->pool);
+            }
+            else {
+                /* This request matched a vhost. We need to stat ap_document_root. */
+                post_dirstat_rv = apr_stat(&post_open_dirstat, csconf->ap_document_root,
+                                           APR_FINFO_USER | APR_FINFO_LINK, r->pool);
+            }
+
+            post_fdstat_rv = apr_stat_fd(&post_open_finfo, fd, APR_FINFO_USER, r->pool);
+
+            if (((post_dirstat_rv != APR_SUCCESS && post_dirstat_rv != APR_INCOMPLETE)
+                || !(post_open_dirstat.valid & APR_FINFO_USER))
+                || ((post_fdstat_rv != APR_SUCCESS && post_fdstat_rv != APR_INCOMPLETE)
+                || !(post_open_finfo.valid & APR_FINFO_USER))) {
+                /* Then we couldn't stat either the directory root of the vhost
+                 * (very unlikely) or we couldn't stat the open file descriptor
+                 * (probably impossible).
+                 */
+                ap_log_rerror(APLOG_MARK, APLOG_ERR, status, r,
+                    "Could not stat directory root or open file. Aborting request.");
+                apr_file_close(fd);
+                return HTTP_NOT_FOUND;
+            }
+
+
+            if (apr_uid_compare(r->finfo.user, post_open_dirstat.user)
+                != APR_SUCCESS || apr_uid_compare(post_open_finfo.user, r->finfo.user)
+                != APR_SUCCESS) {
+                /* Then we've caught a race condition abuser. */
+                ap_log_rerror(APLOG_MARK, APLOG_ERR, status, r,
+                    "Caught race condition abuser. attacker: %i, victim: %i"
+                    " open file owner: %i, open file: %s", post_open_dirstat.user, r->finfo.user,
+                    post_open_finfo.user, r->filename);
+
+                apr_file_close(fd);
+                /* Return 404 because we don't want an attacker to be able to test
+                 * what files are where based on the return of an error.
+                 */
+                return HTTP_NOT_FOUND;
+            }
+        }
+
         ap_update_mtime(r, r->finfo.mtime);
         ap_set_last_modified(r);
         ap_set_etag_fd(r, fd);

Places

File 0014-Add-SymlinkProtect-and-SymlinkProtectRoot-functional.patch of Package ea-apache2

Places