httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Dean Gaudet <dgau...@arctic.org>
Subject Re: mod_cgi/918: if not using suexec, apache forces user to use server gid/uid settings
Date Sun, 27 Jul 1997 06:41:20 GMT
For suexec that's true.  But it does not seem to be true otherwise.

Dean

On Sun, 27 Jul 1997, Marc Slemko wrote:

> On Sat, 26 Jul 1997, Dean Gaudet wrote:
> 
> > No no, I'm talking pure unix exec here.  If I'm uid N, gid M, then either
> > o+x has to be set on the executable, or the exe's uid has to be N and u+x
> > set, or it's gid has to be M and g+x set.
> > 
> > That is exactly what can_exec checks. 
> > 
> > What is wrong?
> > 
> > Or is it checking the permissions on the ultimate cgi that's going to be
> > executed rather than checking permissions on the wrapper?? 
> 
> To save my tired fingers:
> 
> > The server looks at the permissions on the script that suexec will
> > execute, not the permissions on suexec.  Since when suexec eventually gets
> 
> (that's a yes to your question.  <g>)
> 
> > 
> > Dean
> > 
> > On Sun, 27 Jul 1997, Marc Slemko wrote:
> > 
> > > No.  The server looks at the permissions on the script that suexec will
> > > execute, not the permissions on suexec.  Since when suexec eventually gets
> > > around to running the script, it will probably be as a different UID,
> > > checking based on the view of the user who runs suexec doesn't make sense.
> > > 
> > > The code could be expanded to know what user will be passed to suexec, but
> > > it hasn't been.
> > > 
> > > On Sat, 26 Jul 1997, Dean Gaudet wrote:
> > > 
> > > > On Sat, 26 Jul 1997, Marc Slemko wrote:
> > > > > No.  can_exec just doesn't know about magic user ID changes like
those
> > > > > that happen using suexec or some other wrapper.  It checks to see
if it
> > > > > can be execed given the user ID the server is running as now.  
> > > > 
> > > > Um yes, well, what other uid is the server going to attempt to execute
it
> > > > as? 
> > > > 
> > > > Am I totally confused?  I thought these things were setuid root (in the
> > > > case of suexec), or setuid user (in the case of cgiwrap).  In either case
> > > > the webserver needs permission to execute the file.  That's either group
> > > > or other x that needs to be set.
> > > > 
> > > > Dean
> > > > 
> > > > 
> > > 
> > > 
> > 
> 
> 


Mime
View raw message