1 files changed, 39 insertions, 24 deletions

diff --git a/network/suphp/suphp.SlackBuild b/network/suphp/suphp.SlackBuild
index 42515eb197..e3e9eff0cc 100644
--- a/network/suphp/suphp.SlackBuild
+++ b/network/suphp/suphp.SlackBuild
@@ -2,10 +2,14 @@
 
 # Slackware build script for suPHP
 
-# Written by Menno E. Duursma <druiloor@zonnet.nl>
+# Written by Menno Duursma <druiloor@zonnet.nl>
+
+# This program is free software. It comes without any warranty.
+# Granted WTFPLv2, as published by Sam Hocevar dec'04.
+# For details see http://sam.zoy.org/wtfpl/COPYING
 
 PRGNAM=suphp
-VERSION=0.6.3
+VERSION=${VERSION:-0.7.1}
 ARCH=${ARCH:-i486}
 BUILD=${BUILD:-1}
 TAG=${TAG:-_SBo}
@@ -13,7 +17,10 @@ TAG=${TAG:-_SBo}
 CWD=$(pwd)
 TMP=${TMP:-/tmp/SBo}
 PKG=$TMP/package-$PRGNAM
-OUTPUT=${OUTPUT:-/tmp}	# Drop the package in /tmp
+OUTPUT=${OUTPUT:-/tmp}
+
+# On capability enabled filesystems this may be enabled
+FCAPS=${FCAPS:-false}
 
 # The stock Apache on Slackware runs httpd under system
 # user/group account 'apache'. If you happen to use some
@@ -40,11 +47,13 @@ cd $PRGNAM-$VERSION
 chown -R root:root .
 chmod -R u+w,go+r-w,a-s .
 
-# Apply a patch to have it globally honor the suPHP_Engine directive
-patch -p0 --verbose < $CWD/suphp-$VERSION-vhosts.patch
+# FCAPS: remove ruid-root check from source
+if [ "$FCAPS" != "false" ]; then
+  patch --verbose -p1 < $CWD/patches/suphp-0.7.1-nosuid.diff
+fi
 
 # Default to secure settings, as any of the configuration options 
-# can be overwritten in the config-file /etc/httpd/suphp.conf anyway
+# can be overwritten in the config file /etc/httpd/suphp.conf anyway
 CFLAGS="$SLKCFLAGS" \
 CXXFLAGS="$SLKCFLAGS" \
 ./configure \
@@ -55,25 +64,28 @@ CXXFLAGS="$SLKCFLAGS" \
   --with-apache-user=$HTTPD_USER \
   --with-logfile=/var/log/httpd/suphp_log \
   --enable-static=no \
-  --build=$ARCH-slackware-linux \
-  --host=$ARCH-slackware-linux
+  --build=$ARCH-slackware-linux
 
 make
-make install DESTDIR=$PKG
 
-( cd $PKG
-  find . | xargs file | grep "executable" | grep ELF | cut -f 1 -d : | xargs strip --strip-unneeded 2> /dev/null || true
-  find . | xargs file | grep "shared object" | grep ELF | cut -f 1 -d : | xargs strip --strip-unneeded 2> /dev/null
-)
+# Following only strips the wrapper
+make install-strip DESTDIR=$PKG
+
+# Strip the DSO as well
+find $PKG -type f  | xargs file | grep "shared object" | grep ELF \
+  | cut -f 1 -d : | xargs strip -v --strip-unneeded 2> /dev/null
 
 mkdir -p $PKG/usr/doc/$PRGNAM-$VERSION
 cp -a AUTHORS COPYING ChangeLog doc/* $PKG/usr/doc/$PRGNAM-$VERSION
 cat $CWD/$PRGNAM.SlackBuild > $PKG/usr/doc/$PRGNAM-$VERSION/$PRGNAM.SlackBuild
-cat $CWD/README > $PKG/usr/doc/$PRGNAM-$VERSION/README.SBo
+cat $CWD/README.SLACKWARE > $PKG/usr/doc/$PRGNAM-$VERSION/README.SLACKWARE
 
 mkdir -p $PKG/etc/httpd
+cat $CWD/config/mod_suphp.conf > $PKG/etc/httpd/mod_suphp.conf.new
+
+# Make sure the user Apache runs as in correctly reflected
 sed s/'webserver_user=apache'/"webserver_user=$HTTPD_USER"/g \
-  $CWD/suphp.conf >> $PKG/etc/httpd/suphp.conf.new
+  $CWD/config/suphp.conf > $PKG/etc/httpd/suphp.conf.new
 
 mkdir -p $PKG/install
 cat $CWD/slack-desc > $PKG/install/slack-desc
@@ -81,15 +93,18 @@ cat $CWD/doinst.sh > $PKG/install/doinst.sh
 
 # Make sure the access permissions on target host are such that
 # only the group Apache runs as has access to it
-echo "chgrp $HTTPD_GROUP usr/sbin/suphp" >> $PKG/install/doinst.sh
-echo "chmod 4750 usr/sbin/suphp" >> $PKG/install/doinst.sh
+chown root:$HTTPD_GROUP $PKG/usr/sbin/suphp
+
+# Install setuid unless caller requested otherwise
+if [ "$FCAPS" != "false" ]; then
+  chmod 0750 $PKG/usr/sbin/suphp
+  # Note: on a chrooted Apache: this should fence the jail
+  echo 'setcap "cap_setgid=ep cap_setuid=ep" usr/sbin/suphp' \
+    >> $PKG/install/doinst.sh
+else
+  # Install setuid-root
+  chmod 4750 $PKG/usr/sbin/suphp
+fi
 
 cd $PKG
 /sbin/makepkg -l y -c n $OUTPUT/$PRGNAM-$VERSION-$ARCH-$BUILD$TAG.tgz
-
-# Clean up the extra stuff
-if [ "$1" = "--cleanup" ]; then
-  rm -rf $TMP/$PRGNAM-$VERSION
-  rm -rf $PKG
-fi
-