httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Dean Gaudet <dgau...@arctic.org>
Subject Re: mod_cgi/918: if not using suexec, apache forces user to use server gid/uid settings
Date Tue, 16 Sep 1997 04:21:54 GMT
An old one from July.  There was a little discussion surrounding it,
mostly clearing up my confusion. 

+1

Dean

On Sun, 27 Jul 1997, Randy Terbush wrote:

> > On Sun, 27 Jul 1997, Randy Terbush wrote:
> > 
> > > > No.  The server looks at the permissions on the script that suexec will
> > > > execute, not the permissions on suexec.  Since when suexec eventually
gets
> > > > around to running the script, it will probably be as a different UID,
> > > > checking based on the view of the user who runs suexec doesn't make sense.
> > > > 
> > > > The code could be expanded to know what user will be passed to suexec,
but
> > > > it hasn't been.
> > > 
> > > Correct. This had been brought up during 1.2 beta and I _thought_ 
> > > was fixed. 
> > 
> > What about userdir requests?  Your patch deals not with them?
> 
> Picky picky... :-)
> 
> Ok, untested and missing prototype for log_scripterror(). (my 
> http_log.h is currently non-standard and I am lazy) 
> 
> 
> Index: util.c
> ===================================================================
> RCS file: /export/home/cvs/apache/src/util.c,v
> retrieving revision 1.64
> diff -u -3 -r1.64 util.c
> --- util.c	1997/07/21 05:53:52	1.64
> +++ util.c	1997/07/27 19:33:36
> @@ -993,7 +993,7 @@
>      return (x ? 1 : 0);  /* If the first character is ':', it's broken, too */
>  }
>  
> -API_EXPORT(int) can_exec(const struct stat *finfo) {
> +API_EXPORT(int) can_exec(const struct stat *finfo, uid_t uid, gid_t gid) {
>  #ifdef MULTIPLE_GROUPS
>    int cnt;
>  #endif
> @@ -1001,10 +1001,10 @@
>      /* OS/2 dosen't have Users and Groups */
>      return 1;
>  #else    
> -    if(user_id == finfo->st_uid)
> +    if(uid == finfo->st_uid)
>          if(finfo->st_mode & S_IXUSR)
>              return 1;
> -    if(group_id == finfo->st_gid)
> +    if(gid == finfo->st_gid)
>          if(finfo->st_mode & S_IXGRP)
>              return 1;
>  #ifdef MULTIPLE_GROUPS
> Index: mod_cgi.c
> ===================================================================
> RCS file: /export/home/cvs/apache/src/mod_cgi.c,v
> retrieving revision 1.50
> diff -u -3 -r1.50 mod_cgi.c
> --- mod_cgi.c	1997/07/24 04:23:59	1.50
> +++ mod_cgi.c	1997/07/27 19:33:56
> @@ -393,11 +393,6 @@
>  	return log_scripterror(r, conf, NOT_FOUND,
>  			       "script not found or unable to stat");
>  #endif
> -    if (!suexec_enabled) {
> -        if (!can_exec(&r->finfo))
> -            return log_scripterror(r, conf, FORBIDDEN,
> -                                   "file permissions deny server execution");
> -    }
>  
>      if ((retval = setup_client_block(r, REQUEST_CHUNKED_ERROR)))
>  	return retval;
> Index: httpd.h
> ===================================================================
> RCS file: /export/home/cvs/apache/src/httpd.h,v
> retrieving revision 1.132
> diff -u -3 -r1.132 httpd.h
> --- httpd.h	1997/07/23 00:09:02	1.132
> +++ httpd.h	1997/07/27 19:34:21
> @@ -751,7 +751,7 @@
>  API_EXPORT(uid_t) uname2id(const char *name);
>  API_EXPORT(gid_t) gname2id(const char *name);
>  API_EXPORT(int) is_directory(const char *name);
> -API_EXPORT(int) can_exec(const struct stat *);     
> +API_EXPORT(int) can_exec(const struct stat *finfo, uid_t uid, gid_t gid);     
>  API_EXPORT(void) chdir_file(const char *file);
>       
>  char *get_local_host(pool *);
> Index: util_script.c
> ===================================================================
> RCS file: /export/home/cvs/apache/src/util_script.c,v
> retrieving revision 1.67
> diff -u -3 -r1.67 util_script.c
> --- util_script.c	1997/07/24 04:24:00	1.67
> +++ util_script.c	1997/07/27 19:34:41
> @@ -739,6 +739,9 @@
>  	    grpname = gr->gr_name;
>  	}
>    
> +        if (!can_exec(&r->finfo, pw->pw_uid, gr->gr_gid))
> +            return log_scripterror(r, conf, FORBIDDEN,
> +                                   "file permissions deny server execution");
>    	if (shellcmd)
>  	    execle(SUEXEC_BIN, SUEXEC_BIN, execuser, grpname, argv0, NULL, env);
>  
> @@ -753,6 +756,9 @@
>  	}
>      }
>      else {
> +        if (!can_exec(&r->finfo, user_id, group_id))
> +            return log_scripterror(r, conf, FORBIDDEN,
> +                                   "file permissions deny server execution");
>  	if (shellcmd) 
>  	    execle(SHELL_PATH, SHELL_PATH, "-c", argv0, NULL, env);
>  	
> 
> 
> 


Mime
View raw message