Bug 123165 – Permissions setup option for bugzilla_user==webserver_user (suexec).

Patch by Marc Schumann <wurblzap@gmail.com>; r/a=mkanat

2 files changed, 26 insertions, 8 deletions

diff --git a/Bugzilla/Install/Filesystem.pm b/Bugzilla/Install/Filesystem.pm
index 17129b2ab..4cbbd57cc 100644
--- a/Bugzilla/Install/Filesystem.pm
+++ b/Bugzilla/Install/Filesystem.pm
@@ -51,10 +51,10 @@ our @EXPORT = qw(
 # a perldoc. However, look at the various hashes defined inside this 
 # function to understand what it returns. (There are comments throughout.)
 #
-# The rationale for the file permissions is that the web server generally 
-# runs as apache, so the cgi scripts should not be writable for apache,
-# otherwise someone may find it possible to change the cgis when exploiting
-# some security flaw somewhere (not necessarily in Bugzilla!)
+# The rationale for the file permissions is that there is a group the
+# web server executes the scripts as, so the cgi scripts should not be writable
+# by this group. Otherwise someone may find it possible to change the cgis
+# when exploiting some security flaw somewhere (not necessarily in Bugzilla!)
 sub FILESYSTEM {
     my $datadir       = bz_locations()->{'datadir'};
     my $attachdir     = bz_locations()->{'attachdir'};
@@ -67,6 +67,7 @@ sub FILESYSTEM {
     my $localconfig   = bz_locations()->{'localconfig'};
 
     my $ws_group      = Bugzilla->localconfig->{'webservergroup'};
+    my $use_suexec    = Bugzilla->localconfig->{'use_suexec'};
 
     # The set of permissions that we use:
 
@@ -76,7 +77,7 @@ sub FILESYSTEM {
     # Executable by the owner only.
     my $owner_executable = 0700;
     # Readable by the web server.
-    my $ws_readable = $ws_group ? 0640 : 0644;
+    my $ws_readable = ($ws_group && !$use_suexec) ? 0640 : 0644;
     # Readable by the owner only.
     my $owner_readable = 0600;
     # Writeable by the web server.
@@ -84,7 +85,7 @@ sub FILESYSTEM {
 
     # DIRECTORIES
     # Readable by the web server.
-    my $ws_dir_readable  = $ws_group ? 0750 : 0755;
+    my $ws_dir_readable  = ($ws_group && !$use_suexec) ? 0750 : 0755;
     # Readable only by the owner.
     my $owner_dir_readable = 0700;
     # Writeable by the web server.
diff --git a/Bugzilla/Install/Localconfig.pm b/Bugzilla/Install/Localconfig.pm
index 5cd7755e8..971064722 100644
--- a/Bugzilla/Install/Localconfig.pm
+++ b/Bugzilla/Install/Localconfig.pm
@@ -67,9 +67,11 @@ EOT
     {
         name    => 'webservergroup',
         default => ON_WINDOWS ? '' : 'apache',
-        desc    => q{# This is the group your web server runs as.
+        desc    => q{# Usually, this is the group your web server runs as.
 # If you have a Windows box, ignore this setting.
-# If you do not have access to the group your web server runs under,
+# If you have use_suexec switched on below, this is the group Apache switches
+# to in order to run Bugzilla scripts.
+# If you do not have access to the group your scripts will run under,
 # set this to "". If you do set this to "", then your Bugzilla installation
 # will be _VERY_ insecure, because some files will be world readable/writable,
 # and so anyone who can get local access to your machine can do whatever they
@@ -79,6 +81,21 @@ EOT
 # as} . ROOT_USER . qq{, or as a user who is a member of the specified group.\n}
     },
     {
+        name    => 'use_suexec',
+        default => 0,
+        desc    => <<EOT
+# Set this if Bugzilla runs in an Apache SuexecUserGroup environment.
+# (If your web server runs control panel software (cPanel, Plesk or similar),
+# or if your Bugzilla is to run in a shared hosting environment, then you are
+# almost certainly in an Apache SuexecUserGroup environment.)
+# If you have a Windows box, ignore this setting.
+# If set to 0, Bugzilla will set file permissions as tightly as possible.
+# If set to 1, Bugzilla will set file permissions so that it may work in an
+# SuexecUserGroup environment. The difference is that static files (CSS,
+# JavaScript and so on) will receive world read permissions.
+EOT
+    },
+    {
         name    => 'db_driver',
         default => 'mysql',
         desc    => <<EOT