httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Marc Slemko <ma...@worldgate.com>
Subject Re: mod_cgi/453: Segmentation fault in util_script.c:call_exe()
Date Tue, 22 Apr 1997 14:47:30 GMT
On Tue, 22 Apr 1997, Randy Terbush wrote:

> 
> 
> Is this a valid problem?  I also like to run with unique group ids 
> for logins, but never considered not having a group file.
> 
> I agree that we need to check the return here, but is it too much 
> to ask to have a group file?
> 
> Other issues this raises is the contortions that we need to go 
> through in suexec to convert the groupid back to a valid gid. Can 
> we trust atoi not to have overflows?

Why not do everything with numeric IDs?  Yes, I would trust atoi().

This problem should be fixed, even if the fix is just have the server say
"give the group a name you moron". 

> 
> 
> > >Number:         453
> > >Category:       mod_cgi
> > >Synopsis:       Segmentation fault in util_script.c:call_exe()
> > >Confidential:   no
> > >Severity:       critical
> > >Priority:       medium
> > >Responsible:    apache (Apache HTTP Project)
> > >State:          open
> > >Class:          sw-bug
> > >Submitter-Id:   apache
> > >Arrival-Date:   Tue Apr 22 06:50:00 1997
> > >Originator:     gshapiro@wpi.edu
> > >Organization:
> > apache
> > >Release:        1.2B8
> > >Environment:
> > Digital UNIX 4.0B using stock C compiler, but OS version doesn't matter for this
> > bug.
> > >Description:
> > I reporting this problem two weeks ago via apache-bugs@apache.org and never heard
> > back and it doesn't appear in the bugs database.  I'm resubmitting it with the
> > form to be sure it wasn't lost since I doubt 1.2 should be released with a 
> > segmentation fault problem.
> > 
> > call_exe() grabs the group for passing to suexec with:
> > 
> >             gr = getgrgid (pw->pw_gid);
> > 
> > And then uses gr->gr_name without ever checking to make sure gr isn't NULL. 
> > At our site (any many other sites I have seen), users have a unique GID as well
> > as a unique UID and therefore there isn't a /etc/group entry for pw->pw_gid.
> > This causes a segmentation fault and core dump on every CGI call.
> > 
> > Additionaly, for sites like mine, call_exe() should pass suexec a group number 
> > instead of name if a group name doesn't exist.  suexec should accept a group 
> > number instead of name as an argument.  The patches in the "Do you have any
> > suggested way to fix it?" section include a fix for the segmentation fault as
> > well as the fix for using the gid of the group doesn't have a name.
> > >How-To-Repeat:
> > Create a password entry with a pw->pw_gid that doesn't exist in /etc/group.
> > >Fix:
> > These patches fix the problems outlined above.  They are gziped and uuencoded to
> > protect spacing, etc, which would be lost by a cut and paste into the web form.
> 
> 
> *** src/util_script.c~orig	Tue Mar 18 04:46:27 1997
> --- src/util_script.c	Thu Apr 10 20:59:18 1997
> ***************
> *** 436,441 ****
> --- 436,442 ----
>       core_dir_config *conf;
>       struct passwd *pw;
>       struct group *gr;
> +     char *grpname;
>       
>       conf = (core_dir_config *)get_module_config(r->per_dir_config, &core_module);
>   
> ***************
> *** 551,557 ****
>   		return;
>   	    }
>               r->uri -= 2;
> !             gr = getgrgid (pw->pw_gid);
>               execuser = (char *) palloc (r->pool, (sizeof(pw->pw_name) + 1));
>               execuser = pstrcat (r->pool, "~", pw->pw_name, NULL);
>           }
> --- 552,565 ----
>   		return;
>   	    }
>               r->uri -= 2;
> !             if ((gr = getgrgid (pw->pw_gid)) == NULL) {
> ! 		if ((grpname = palloc (r->pool, 16)) == NULL) 
> ! 		    return;
> ! 		else
> ! 		    ap_snprintf(grpname, sizeof(grpname), "%d\0", pw->pw_gid);
> ! 	    }
> ! 	    else
> ! 		grpname = gr->gr_name;
>               execuser = (char *) palloc (r->pool, (sizeof(pw->pw_name) + 1));
>               execuser = pstrcat (r->pool, "~", pw->pw_name, NULL);
>           }
> ***************
> *** 569,582 ****
>           }
>     
>     	if (shellcmd)
> ! 	    execle(SUEXEC_BIN, SUEXEC_BIN, execuser, gr->gr_name, argv0, NULL, env);
>   
>     	else if((!r->args) || (!r->args[0]) || (ind(r->args,'=') >= 0))
> ! 	    execle(SUEXEC_BIN, SUEXEC_BIN, execuser, gr->gr_name, argv0, NULL, env);
>   
>     	else {
>   	    execve(SUEXEC_BIN,
> ! 		   create_argv(r, SUEXEC_BIN, execuser, gr->gr_name, argv0, r->args, (void
*)NULL),
>   		   env);
>   	}
>       }
> --- 577,590 ----
>           }
>     
>     	if (shellcmd)
> ! 	    execle(SUEXEC_BIN, SUEXEC_BIN, execuser, grpname, argv0, NULL, env);
>   
>     	else if((!r->args) || (!r->args[0]) || (ind(r->args,'=') >= 0))
> ! 	    execle(SUEXEC_BIN, SUEXEC_BIN, execuser, grpname, argv0, NULL, env);
>   
>     	else {
>   	    execve(SUEXEC_BIN,
> ! 		   create_argv(r, SUEXEC_BIN, execuser, grpname, argv0, r->args, (void *)NULL),
>   		   env);
>   	}
>       }
> *** support/suexec.c~orig	Mon Apr  7 13:48:39 1997
> --- support/suexec.c	Thu Apr 10 21:58:45 1997
> ***************
> *** 294,311 ****
>       /*
>        * Error out if the target group name is invalid.
>        */
> !     if ((gr = getgrnam(target_gname)) == NULL) {
> ! 	log_err("invalid target group name: (%s)\n", target_gname);
> ! 	exit(106);
>       }
>   
>       /*
>        * Save these for later since initgroups will hose the struct
>        */
>       uid = pw->pw_uid;
> -     gid = gr->gr_gid;
>       actual_uname = strdup(pw->pw_name);
> -     actual_gname = strdup(gr->gr_name);
>       target_homedir = strdup(pw->pw_dir);
>   
>       /*
> --- 294,317 ----
>       /*
>        * Error out if the target group name is invalid.
>        */
> !     if (strspn(target_gname, "1234567890") != strlen(target_gname)) {
> ! 	if ((gr = getgrnam(target_gname)) == NULL) {
> ! 	    log_err("invalid target group name: (%s)\n", target_gname);
> ! 	    exit(106);
> ! 	}
> ! 	gid = gr->gr_gid;
> ! 	actual_gname = strdup(gr->gr_name);
>       }
> +     else {
> + 	gid = atoi(target_gname);
> + 	actual_gname = strdup(target_gname);
> +     }
>   
>       /*
>        * Save these for later since initgroups will hose the struct
>        */
>       uid = pw->pw_uid;
>       actual_uname = strdup(pw->pw_name);
>       target_homedir = strdup(pw->pw_dir);
>   
>       /*
> 
> 


Mime
View raw message