From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id 64309138334 for ; Tue, 17 Jul 2018 07:10:18 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 8C48FE08FC; Tue, 17 Jul 2018 07:10:17 +0000 (UTC) Received: from smtp.gentoo.org (dev.gentoo.org [IPv6:2001:470:ea4a:1:5054:ff:fec7:86e4]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 4AD94E08FC for ; Tue, 17 Jul 2018 07:10:17 +0000 (UTC) Received: from oystercatcher.gentoo.org (oystercatcher.gentoo.org [148.251.78.52]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.gentoo.org (Postfix) with ESMTPS id D121E335CB7 for ; Tue, 17 Jul 2018 07:10:15 +0000 (UTC) Received: from localhost.localdomain (localhost [IPv6:::1]) by oystercatcher.gentoo.org (Postfix) with ESMTP id 1B008378 for ; Tue, 17 Jul 2018 07:10:11 +0000 (UTC) From: "Lars Wendler" To: gentoo-commits@lists.gentoo.org Content-Transfer-Encoding: 8bit Content-type: text/plain; charset=UTF-8 Reply-To: gentoo-dev@lists.gentoo.org, "Lars Wendler" Message-ID: <1531811403.04d8c60e97d7fcbd225b060c244a4709cd2f73ab.polynomial-c@gentoo> Subject: [gentoo-commits] repo/gentoo:master commit in: www-servers/apache/files/, www-servers/apache/ X-VCS-Repository: repo/gentoo X-VCS-Files: www-servers/apache/apache-2.4.34-r1.ebuild www-servers/apache/apache-2.4.34.ebuild www-servers/apache/files/apache-2.4.34-suexec_parallel_install.patch www-servers/apache/metadata.xml X-VCS-Directories: www-servers/apache/ www-servers/apache/files/ X-VCS-Committer: polynomial-c X-VCS-Committer-Name: Lars Wendler X-VCS-Revision: 04d8c60e97d7fcbd225b060c244a4709cd2f73ab X-VCS-Branch: master Date: Tue, 17 Jul 2018 07:10:11 +0000 (UTC) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-commits@lists.gentoo.org X-Archives-Salt: af7c2f62-b60f-4449-97ac-e6660ec45bd9 X-Archives-Hash: 023889dd57cdc0ee0cfed1c508bdd35c commit: 04d8c60e97d7fcbd225b060c244a4709cd2f73ab Author: Lars Wendler gentoo org> AuthorDate: Tue Jul 17 07:08:50 2018 +0000 Commit: Lars Wendler gentoo org> CommitDate: Tue Jul 17 07:10:03 2018 +0000 URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=04d8c60e www-servers/apache: Revbump to add new suexec related USE flags. Also fixed a parallel install issue with suexec binary. Closes: https://bugs.gentoo.org/661358 Package-Manager: Portage-2.3.43, Repoman-2.3.10 .../{apache-2.4.34.ebuild => apache-2.4.34-r1.ebuild} | 12 ++++++++++-- .../files/apache-2.4.34-suexec_parallel_install.patch | 19 +++++++++++++++++++ www-servers/apache/metadata.xml | 2 ++ 3 files changed, 31 insertions(+), 2 deletions(-) diff --git a/www-servers/apache/apache-2.4.34.ebuild b/www-servers/apache/apache-2.4.34-r1.ebuild similarity index 96% rename from www-servers/apache/apache-2.4.34.ebuild rename to www-servers/apache/apache-2.4.34-r1.ebuild index eee96296f45..cf545f229ee 100644 --- a/www-servers/apache/apache-2.4.34.ebuild +++ b/www-servers/apache/apache-2.4.34-r1.ebuild @@ -130,21 +130,29 @@ HOMEPAGE="https://httpd.apache.org/" # some helper scripts are Apache-1.1, thus both are here LICENSE="Apache-2.0 Apache-1.1" SLOT="2" -KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86 ~amd64-fbsd ~x86-fbsd ~amd64-linux ~x64-macos ~x86-macos ~m68k-mint ~sparc64-solaris ~x64-solaris" +KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86 ~amd64-linux ~x64-macos ~x86-macos ~m68k-mint ~sparc64-solaris ~x64-solaris" + # Enable http2 by default (bug #563452) # FIXME: Move to apache-2.eclass once this has reached stable. IUSE="${IUSE/apache2_modules_http2/+apache2_modules_http2}" +# New suexec options (since 2.4.34) +IUSE="${IUSE} +suexec-caps suexec-syslog" CDEPEND="apache2_modules_brotli? ( >=app-arch/brotli-0.6.0:= ) apache2_modules_http2? ( >=net-libs/nghttp2-1.2.1 ) apache2_modules_md? ( >=dev-libs/jansson-2.10 )" -DEPEND+="${CDEPEND}" +DEPEND+="${CDEPEND} + suexec? ( suexec-caps? ( sys-libs/libcap ) )" RDEPEND+="${CDEPEND}" REQUIRED_USE="apache2_modules_http2? ( ssl ) apache2_modules_md? ( ssl )" +PATCHES=( + "${FILESDIR}/${PN}-2.4.34-suexec_parallel_install.patch" #661358 +) + pkg_setup() { # dependend critical modules which are not allowed in global scope due # to USE flag conditionals (bug #499260) diff --git a/www-servers/apache/files/apache-2.4.34-suexec_parallel_install.patch b/www-servers/apache/files/apache-2.4.34-suexec_parallel_install.patch new file mode 100644 index 00000000000..d5543f7004b --- /dev/null +++ b/www-servers/apache/files/apache-2.4.34-suexec_parallel_install.patch @@ -0,0 +1,19 @@ +https://bugs.gentoo.org/661358 + +--- httpd-2.4.34/Makefile.in ++++ httpd-2.4.34/Makefile.in +@@ -277,12 +277,12 @@ + $(INSTALL_PROGRAM) $(top_builddir)/support/suexec $(DESTDIR)$(sbindir); \ + fi + +-install-suexec-setuid: ++install-suexec-setuid: install-suexec-binary + @if test -f $(builddir)/support/suexec; then \ + chmod 4755 $(DESTDIR)$(sbindir)/suexec; \ + fi + +-install-suexec-caps: ++install-suexec-caps: install-suexec-binary + @if test -f $(builddir)/support/suexec; then \ + setcap 'cap_setuid,cap_setgid+pe' $(DESTDIR)$(sbindir)/suexec; \ + fi diff --git a/www-servers/apache/metadata.xml b/www-servers/apache/metadata.xml index 293e43d3f29..af77bdc266c 100644 --- a/www-servers/apache/metadata.xml +++ b/www-servers/apache/metadata.xml @@ -13,6 +13,8 @@ Install suexec with apache + Install suexec with capabilities instead of SUID + Log suexec to syslog instead of to a separate file Link in apache2 modules statically rather then plugins Group authorizations based on host (name or IP address). Available as a compatibility module with previous versions. Provides core authentication capabilities common to all authentication providers (functionality provided by authn_alias in previous versions).