From c54018b07a9085c0a3aedbc2bd01a85a3b3e20cf Mon Sep 17 00:00:00 2001
From: Daniel Baumann <daniel.baumann@progress-linux.org>
Date: Sat, 25 May 2024 06:41:27 +0200
Subject: Merging upstream version 2.4.59.

Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
---
 modules/md/mod_md_os.c | 33 ++++++++++++++++-----------------
 1 file changed, 16 insertions(+), 17 deletions(-)

(limited to 'modules/md/mod_md_os.c')

diff --git a/modules/md/mod_md_os.c b/modules/md/mod_md_os.c
index f96d566..06a5bee 100644
--- a/modules/md/mod_md_os.c
+++ b/modules/md/mod_md_os.c
@@ -17,10 +17,6 @@
 #include <assert.h>
 #include <apr_strings.h>
 
-#ifndef AP_ENABLE_EXCEPTION_HOOK
-#define AP_ENABLE_EXCEPTION_HOOK 0
-#endif
-
 #include <mpm_common.h>
 #include <httpd.h>
 #include <http_log.h>
@@ -29,9 +25,6 @@
 #if APR_HAVE_UNISTD_H
 #include <unistd.h>
 #endif
-#ifdef WIN32
-#include "mpm_winnt.h"
-#endif
 #if AP_NEED_SET_MUTEX_PERMS
 #include "unixd.h"
 #endif
@@ -41,14 +34,20 @@
 
 apr_status_t md_try_chown(const char *fname, unsigned int uid, int gid, apr_pool_t *p)
 {
-#if AP_NEED_SET_MUTEX_PERMS
-    if (-1 == chown(fname, (uid_t)uid, (gid_t)gid)) {
-        apr_status_t rv = APR_FROM_OS_ERROR(errno);
-        if (!APR_STATUS_IS_ENOENT(rv)) {
-            ap_log_perror(APLOG_MARK, APLOG_ERR, rv, p, APLOGNO(10082)
-                         "Can't change owner of %s", fname);
+#if AP_NEED_SET_MUTEX_PERMS && HAVE_UNISTD_H
+    /* Since we only switch user when running as root, we only need to chown directories
+     * in that case. Otherwise, the server will ignore any "user/group" directives and
+     * child processes have the same privileges as the parent.
+     */
+    if (!geteuid()) {
+        if (-1 == chown(fname, (uid_t)uid, (gid_t)gid)) {
+            apr_status_t rv = APR_FROM_OS_ERROR(errno);
+            if (!APR_STATUS_IS_ENOENT(rv)) {
+                ap_log_perror(APLOG_MARK, APLOG_ERR, rv, p, APLOGNO(10082)
+                              "Can't change owner of %s", fname);
+            }
+            return rv;
         }
-        return rv;
     }
     return APR_SUCCESS;
 #else 
@@ -58,10 +57,10 @@ apr_status_t md_try_chown(const char *fname, unsigned int uid, int gid, apr_pool
 
 apr_status_t md_make_worker_accessible(const char *fname, apr_pool_t *p)
 {
-#if AP_NEED_SET_MUTEX_PERMS
-    return md_try_chown(fname, ap_unixd_config.user_id, -1, p);
-#else 
+#ifdef WIN32
     return APR_ENOTIMPL;
+#else 
+    return md_try_chown(fname, ap_unixd_config.user_id, -1, p);
 #endif
 }
 
-- 
cgit v1.2.3