whereisaaron · September 12, 2023 14:57 · whereisaaron · Sep 6, 2022
diff --git a/apache2.conf b/apache2.conf
 # ... more config ...

 MDMessageCmd /usr/local/sbin/md_event

 # ... more config ...
diff --git a/Dockerfile b/Dockerfile
 #--------------------------------------
 # Build md_event command
 #--------------------------------------
 FROM gcc:bullseye as build
 COPY ./md_event.c .
 RUN gcc md_event.c -o md_event

 #--------------------------------------
 # Apache container
 #--------------------------------------
 FROM ubuntu/apache2:2.4-22.04_beta

 # ...Configure apache2...

 COPY --from=build md_event /usr/local/sbin/md_event
 RUN chmod u+s /usr/local/sbin/md_event
 COPY ./md_event.sh /usr/local/sbin/
diff --git a/md_event.c b/md_event.c
 /*
 * Execute md_event.sh
 *
 * 'md_event.sh' is an event handler for apache2 'mod_md' events,
 * including setting up ACME challenge responses for certificates,
 * and after renewing certificates.
 *
 * This binary simply executes 'md_event.sh' in a fixed location,
 * passing any command arguments.
 *
 * By making the 'md_event' binary compiled from this code 'setuid'
 * the 'mod_md' bash script will we run as 'root', which enables
 * the script to restart apache2, enabling it to load any new
 * or renewed certificiates mod_md has in the 'staging' directory.
 *
 * The 'md_event' binary and 'md_event.sh' script must be protected
 * from tampering or else your attacker will thank you later.
 *
 */

 #define _GNU_SOURCE
 #include <stdio.h>
 #include <unistd.h>
 #include <errno.h>

 const char script_path[] = "/usr/local/sbin/md_event.sh";

 int main (int argc, char *argv[]) {

    // Set uid to 'root'
    if (setuid(0) != 0) {
        perror("Failed to change user to root");
        return errno;
    }

    // Exec the script (using its hash-bang interpretor)
    execv(script_path, argv);
    // execv() will only return if an error occurred
    char *message;
    asprintf(&message, "Failed to exec %s", script_path);
    perror(message);
    return errno;
 }
diff --git a/md_event.sh b/md_event.sh
 #!/bin/bash

 # Log the invocation and effective user id
 echo "Running as $(id -nu $EUID): md_event.sh $*"

 #
 # Restart apache2 gracefully
 # This enable mod_md to load newly renewed certificate
 # This script needs to be run as root
 #

 # We only care about after a certificate has been renewed
 if [[ "$1" != "renewed" ]]; then
  exit 0
 fi

 # Debian default 'nofiles' ulimit is to set 8192 but AWS ECS Fargate hard limit is 4096
 # This env var will change command run by '/usr/sbin/apachectl'
 export APACHE_ULIMIT_MAX_FILES="ulimit -n 4096"

 echo "Domain '$2' has been renewed, restarting apache2"
 apache2ctl configtest && apache2ctl graceful

 result=$?
 if (( $result == 0 )); then
  echo "Successful restart of apache2 after renewal of '$2'"
 else
  echo "Failed restart of apache2 after renewal of '$2'"
 fi

 # No-zero exit will mean mod_md will keeping make this same call again
 # until zero is returned, which increasing back-off periods.
 exit $result

 # end
	# ... more config ...

	MDMessageCmd /usr/local/sbin/md_event

	# ... more config ...
	#--------------------------------------
	# Build md_event command
	#--------------------------------------
	FROM gcc:bullseye as build
	COPY ./md_event.c .
	RUN gcc md_event.c -o md_event

	#--------------------------------------
	# Apache container
	#--------------------------------------
	FROM ubuntu/apache2:2.4-22.04_beta

	# ...Configure apache2...

	COPY --from=build md_event /usr/local/sbin/md_event
	RUN chmod u+s /usr/local/sbin/md_event
	COPY ./md_event.sh /usr/local/sbin/
	/*
	* Execute md_event.sh
	*
	* 'md_event.sh' is an event handler for apache2 'mod_md' events,
	* including setting up ACME challenge responses for certificates,
	* and after renewing certificates.
	*
	* This binary simply executes 'md_event.sh' in a fixed location,
	* passing any command arguments.
	*
	* By making the 'md_event' binary compiled from this code 'setuid'
	* the 'mod_md' bash script will we run as 'root', which enables
	* the script to restart apache2, enabling it to load any new
	* or renewed certificiates mod_md has in the 'staging' directory.
	*
	* The 'md_event' binary and 'md_event.sh' script must be protected
	* from tampering or else your attacker will thank you later.
	*
	*/

	#define _GNU_SOURCE
	#include <stdio.h>
	#include <unistd.h>
	#include <errno.h>

	const char script_path[] = "/usr/local/sbin/md_event.sh";

	int main (int argc, char *argv[]) {

	// Set uid to 'root'
	if (setuid(0) != 0) {
	perror("Failed to change user to root");
	return errno;
	}

	// Exec the script (using its hash-bang interpretor)
	execv(script_path, argv);
	// execv() will only return if an error occurred
	char *message;
	asprintf(&message, "Failed to exec %s", script_path);
	perror(message);
	return errno;
	}
	#!/bin/bash

	# Log the invocation and effective user id
	echo "Running as $(id -nu $EUID): md_event.sh $*"

	#
	# Restart apache2 gracefully
	# This enable mod_md to load newly renewed certificate
	# This script needs to be run as root
	#

	# We only care about after a certificate has been renewed
	if [[ "$1" != "renewed" ]]; then
	exit 0
	fi

	# Debian default 'nofiles' ulimit is to set 8192 but AWS ECS Fargate hard limit is 4096
	# This env var will change command run by '/usr/sbin/apachectl'
	export APACHE_ULIMIT_MAX_FILES="ulimit -n 4096"

	echo "Domain '$2' has been renewed, restarting apache2"
	apache2ctl configtest && apache2ctl graceful

	result=$?
	if (( $result == 0 )); then
	echo "Successful restart of apache2 after renewal of '$2'"
	else
	echo "Failed restart of apache2 after renewal of '$2'"
	fi

	# No-zero exit will mean mod_md will keeping make this same call again
	# until zero is returned, which increasing back-off periods.
	exit $result

	# end