httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Randy Terbush <ra...@zyzzyva.com>
Subject Re: mod_cgi/453: Segmentation fault in util_script.c:call_exe()
Date Tue, 22 Apr 1997 14:12:27 GMT


Is this a valid problem?  I also like to run with unique group ids 
for logins, but never considered not having a group file.

I agree that we need to check the return here, but is it too much 
to ask to have a group file?

Other issues this raises is the contortions that we need to go 
through in suexec to convert the groupid back to a valid gid. Can 
we trust atoi not to have overflows?


> >Number:         453
> >Category:       mod_cgi
> >Synopsis:       Segmentation fault in util_script.c:call_exe()
> >Confidential:   no
> >Severity:       critical
> >Priority:       medium
> >Responsible:    apache (Apache HTTP Project)
> >State:          open
> >Class:          sw-bug
> >Submitter-Id:   apache
> >Arrival-Date:   Tue Apr 22 06:50:00 1997
> >Originator:     gshapiro@wpi.edu
> >Organization:
> apache
> >Release:        1.2B8
> >Environment:
> Digital UNIX 4.0B using stock C compiler, but OS version doesn't matter for this
> bug.
> >Description:
> I reporting this problem two weeks ago via apache-bugs@apache.org and never heard
> back and it doesn't appear in the bugs database.  I'm resubmitting it with the
> form to be sure it wasn't lost since I doubt 1.2 should be released with a 
> segmentation fault problem.
> 
> call_exe() grabs the group for passing to suexec with:
> 
>             gr = getgrgid (pw->pw_gid);
> 
> And then uses gr->gr_name without ever checking to make sure gr isn't NULL. 
> At our site (any many other sites I have seen), users have a unique GID as well
> as a unique UID and therefore there isn't a /etc/group entry for pw->pw_gid.
> This causes a segmentation fault and core dump on every CGI call.
> 
> Additionaly, for sites like mine, call_exe() should pass suexec a group number 
> instead of name if a group name doesn't exist.  suexec should accept a group 
> number instead of name as an argument.  The patches in the "Do you have any
> suggested way to fix it?" section include a fix for the segmentation fault as
> well as the fix for using the gid of the group doesn't have a name.
> >How-To-Repeat:
> Create a password entry with a pw->pw_gid that doesn't exist in /etc/group.
> >Fix:
> These patches fix the problems outlined above.  They are gziped and uuencoded to
> protect spacing, etc, which would be lost by a cut and paste into the web form.


*** src/util_script.c~orig	Tue Mar 18 04:46:27 1997
--- src/util_script.c	Thu Apr 10 20:59:18 1997
***************
*** 436,441 ****
--- 436,442 ----
      core_dir_config *conf;
      struct passwd *pw;
      struct group *gr;
+     char *grpname;
      
      conf = (core_dir_config *)get_module_config(r->per_dir_config, &core_module);
  
***************
*** 551,557 ****
  		return;
  	    }
              r->uri -= 2;
!             gr = getgrgid (pw->pw_gid);
              execuser = (char *) palloc (r->pool, (sizeof(pw->pw_name) + 1));
              execuser = pstrcat (r->pool, "~", pw->pw_name, NULL);
          }
--- 552,565 ----
  		return;
  	    }
              r->uri -= 2;
!             if ((gr = getgrgid (pw->pw_gid)) == NULL) {
! 		if ((grpname = palloc (r->pool, 16)) == NULL) 
! 		    return;
! 		else
! 		    ap_snprintf(grpname, sizeof(grpname), "%d\0", pw->pw_gid);
! 	    }
! 	    else
! 		grpname = gr->gr_name;
              execuser = (char *) palloc (r->pool, (sizeof(pw->pw_name) + 1));
              execuser = pstrcat (r->pool, "~", pw->pw_name, NULL);
          }
***************
*** 569,582 ****
          }
    
    	if (shellcmd)
! 	    execle(SUEXEC_BIN, SUEXEC_BIN, execuser, gr->gr_name, argv0, NULL, env);
  
    	else if((!r->args) || (!r->args[0]) || (ind(r->args,'=') >= 0))
! 	    execle(SUEXEC_BIN, SUEXEC_BIN, execuser, gr->gr_name, argv0, NULL, env);
  
    	else {
  	    execve(SUEXEC_BIN,
! 		   create_argv(r, SUEXEC_BIN, execuser, gr->gr_name, argv0, r->args, (void *)NULL),
  		   env);
  	}
      }
--- 577,590 ----
          }
    
    	if (shellcmd)
! 	    execle(SUEXEC_BIN, SUEXEC_BIN, execuser, grpname, argv0, NULL, env);
  
    	else if((!r->args) || (!r->args[0]) || (ind(r->args,'=') >= 0))
! 	    execle(SUEXEC_BIN, SUEXEC_BIN, execuser, grpname, argv0, NULL, env);
  
    	else {
  	    execve(SUEXEC_BIN,
! 		   create_argv(r, SUEXEC_BIN, execuser, grpname, argv0, r->args, (void *)NULL),
  		   env);
  	}
      }
*** support/suexec.c~orig	Mon Apr  7 13:48:39 1997
--- support/suexec.c	Thu Apr 10 21:58:45 1997
***************
*** 294,311 ****
      /*
       * Error out if the target group name is invalid.
       */
!     if ((gr = getgrnam(target_gname)) == NULL) {
! 	log_err("invalid target group name: (%s)\n", target_gname);
! 	exit(106);
      }
  
      /*
       * Save these for later since initgroups will hose the struct
       */
      uid = pw->pw_uid;
-     gid = gr->gr_gid;
      actual_uname = strdup(pw->pw_name);
-     actual_gname = strdup(gr->gr_name);
      target_homedir = strdup(pw->pw_dir);
  
      /*
--- 294,317 ----
      /*
       * Error out if the target group name is invalid.
       */
!     if (strspn(target_gname, "1234567890") != strlen(target_gname)) {
! 	if ((gr = getgrnam(target_gname)) == NULL) {
! 	    log_err("invalid target group name: (%s)\n", target_gname);
! 	    exit(106);
! 	}
! 	gid = gr->gr_gid;
! 	actual_gname = strdup(gr->gr_name);
      }
+     else {
+ 	gid = atoi(target_gname);
+ 	actual_gname = strdup(target_gname);
+     }
  
      /*
       * Save these for later since initgroups will hose the struct
       */
      uid = pw->pw_uid;
      actual_uname = strdup(pw->pw_name);
      target_homedir = strdup(pw->pw_dir);
  
      /*



Mime
View raw message