httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Lee Fellows <lfell...@4lane.com>
Subject Re: Another suexec question
Date Wed, 03 Jul 2002 14:14:58 GMT
On Wed, 2002-07-03 at 00:55, blather wrote:
> On Tue, 2002-07-02 at 09:03, Lee Fellows wrote:
> > On Tue, 2002-07-02 at 09:38, blather wrote:
> > > On Tue, 2002-07-02 at 08:36, Lee Fellows wrote:
> > > > On Tue, 2002-07-02 at 08:43, blather wrote:
> > > > > On Tue, 2002-07-02 at 07:37, Lee Fellows wrote:
> > > > > > On Tue, 2002-07-02 at 04:05, blather wrote:
> > > > > > > 
> > > > > > > Configured apache like so:
> > > > > > > 
> > > > > > > 
> > > > > > > [root@spider apache_1.3.26]# ./configure --enable-module=most
> > > > > > > --enable-shared=max --enable-suexec --suexec-docroot=/var/www
> > > > > > > --suexec-safepath=/bin:/usr/bin:/usr/local/bin --suexec-caller=nobody
> > > > > > > --suexec-logfile=/usr/local/apache/logs/suexec_log --suexec-uidmin=98
> > > > > > > --suexec-gidmin=98
> > > > > > > 
> > > > > > > 
> > > > > > > ...and read every document + maillist archive until I'm
sick of it.  The
> > > > > > > program is 755, in /var/www/cgi-bin and owned by owner
who wants it
> > > > > > > executed, parent dir is 755, apache is running as nobody(99):nobody(99).
> > > > > > > I'm out of ideas.  One odd thing I did notice is the suexec_log
 never
> > > > > > > got created at install.
> > > > > > > 
> > > > > > > Any help is appreciated.
> > > > > > > 
> > > > > > > --rjm--
> > > > > > > 
> > > > > > 
> > > > > >   When apache starts, does it report that suexec is enabled?
> > > > > > 
> > > > > > 
> > > > > > 
> > > > > > 
> > > > > > ---------------------------------------------------------------------
> > > > > > To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> > > > > > For additional commands, e-mail: users-help@httpd.apache.org
> > > > > > 
> > > > > > 
> > > > > Sorry, yeah it does:
> > > > > 
> > > > > [Tue Jul  2 03:02:43 2002] [notice] caught SIGTERM, shutting down
> > > > > [Tue Jul  2 03:02:48 2002] [notice] Apache/1.3.26 (Unix) configured
--
> > > > > resuming normal operations
> > > > > [Tue Jul  2 03:02:48 2002] [notice] suEXEC mechanism enabled (wrapper:
> > > > > /usr/local/apache/bin/suexec)
> > > > > [Tue Jul  2 03:02:48 2002] [notice] Accept mutex: sysvsem (Default:
> > > > > sysvsem)
> > > > > 
> > > > > --rjm--
> > > > > -- 
> > > > > "... one of the main causes of the fall of the Roman Empire was that,
> > > > > lacking zero, they had no way to indicate successful termination
of
> > > > > their C
> > > > > programs."
> > > > > 
> > > > > 
> > > > 
> > > >   How do you call the cgi you want suEXEC to run?  (What is the url?)
> > > > 
> > > >   What do you see in the error_log for a failed request?  
> > > > 
> > > 
> > > It's called by http://192.168.70.10/cgi-bin/path/to/test.cgi.
> >   
> >   And access here is controlled via a 'VirtualHost' with User and
> >   Group set to the correct user and group in the VirtualHost section,
> >   not the general server section?
> > 
> > >  The error
> > > log shows the script in question failing ( it does a 'system(cp file
> > > testfile)' for permission reasons because the directory is 755 (and the
> > > script is running as nobody).
> > 
> >   suEXEC is not being invoked.  I would suspect because it is not
> >   being called through a VirtualHost or by a UserDir invocation as
> >   described in the documentation.
> > 
> > > 
> > > --rjm--
> 
> There are no VirtualHost directives for this install.  I agree that
> suecex isn't being invoked but for the life of me cannot fathom why.  I
> was under the impression that suexec (from the documentation + related
> archive discussion) that if the proggie in question was in the 
> --suexec-docroot that it was suid/sgid the based on the ownership of
> parent directory.
> 
> --rjm--
> 

  From my reading of the documentation suEXEC can only be invoked in
  a VirtualHost or in User directories.  I cannot find anything to
  suggest that suEXEC would work with suid/sgid programs.  From
  Apache User Manual, suexec.html#usage, suEXEC expressly _will not_
  work with suid/sgid programs (item 17 of the suEXEC Security Model).

  You could define a VirtualHost with the same DocumentRoot and
  set User/Group to the appropriate user/group, drop the suid/sgid
  bits from the files, ensure the ownership matches the User/Group in
  the VirtualHost, and try it then.  Or use UserDir.  These two
  avenues appear to be the only ones available for you to use suEXEC.




---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message