httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From <...@ulysium.net>
Subject Re: [users@httpd] small Suexec problem
Date Fri, 09 May 2003 13:28:19 GMT
>>> Hmm. What are the rights of the script directory?
>> 
>> /  has r-x for other
>> /srv  as well
>> /srv/sites  has --x for other and is the document root specified for suexec
> 
> and for the user itself?

only the folder containing the scripts is actually owned by the final
user/group

That system uses acls (it's tru64), here's the complete rundown of the
perms/acls on this whole path to the script(s)

getacl /
# file: /
# owner: root
# group: system
#
user::rwx
group::r-x
other::r-x

getacl /srv
# file: /srv
# owner: root
# group: system
#
user::rwx
group::r-x
other::r-x

getacl /srv/sites
# file: /srv/sites
# owner: root
# group: httpd
#
user::rwx
group::r-x
other::--x

getacl /srv/sites/p
# file: /srv/sites/p
# owner: root
# group: httpd
#
user::rwx
group::r-x
other::--x

getacl /srv/sites/p/paradox
# file: /srv/sites/p/paradox
# owner: paradox
# group: paradox
#
user::rwx
group::r-x
other::--x

as I mentioned, /srv/sites is what I compiled in suexec as the docroot, and
the http server config has a virtualhost block containing this:

DocumentRoot    /srv/p/paradox/home
<Directory "/srv/p/paradox/home">
AllowOverride   AuthConfig Limit
Options         FollowSymLinks Indexes ExecCGI
Order           Deny,Allow
Allow           From All
</Directory>
SuexecUserGroup paradox paradox
ScriptAlias     /cgi-bin/       /srv/sites/p/paradox/
<Directory "/srv/sites/p/paradox">
AllowOverride   AuthConfig Limit
Options         FollowSymLinks ExecCGI
Order           Deny,Allow
Allow           From All
</Directory>

there are more directives in the virtualhost block of course...
I separate the scripts from the rest, although you can see I added ExecCGI
in there, this is for testing, I added it then was able to run scripts in
the home folder, but that won't be allowed later. I even added the ExecCGI
in the directory block of the scriptalias to see if that would help (without
suexec) when I was trying to get scripts to run at first. I left that in for
now but that shouldn't interfere with suexec.
The users on the system have their own group as well, so the goal is to have
cgi scripts chmoded to 550 (or 750) and never have any perms given to other
at all, even in the web docroot, all html/php files won't be given any perms
to other, instead to allow the httpd user access to those files, acls are
added and preset to be automatically inherited at upload time/creation of
the files (this already works perfectly on other systems).
The only thing that's new to my config on this new system is the use of
suexec, besides apache2 replacing apache1.3

the script has those perms right now:

getacl testing
# file: testing
# owner: paradox
# group: paradox
#
user::r-x
group::r-x
other::r-x

but I'll revert this back to nothing for other later, it's the main goal of
using suexec, so no files need any access at all to other

Now like I said, with suexec disabled, this script actually runs fine (it's
just printing the environment)

> Are you manually able to switch to the directory as httpd user, su to root,
> su to the script's desired user and `pwd`?

I can su to httpd, I did it from within apache's root folder
(/usr/local/apache) and also in the apache/bin just in case, then I have no
problem cd-ing to / /srv /srv/sites and all the way to the final script
location of /srv/sites/p/paradox
I can't do ls in that location of course, because the r bit isn't set, but I
can do the pwd and get /srv/sites/p/paradox as it should be
The pwd command uses the system call getcwd() doesn't it?

now I can't su to root from httpd, that's a security restriction of the su
command on tru64 which only allows members of the system group to su root
but I can (with the password) su from httpd to the final user paradox in the
script location, the only thing that doesn't work there is the pwd which
gives the same error as suexec when trying to execute the script

shell-init: could not get current directory: getcwd: cannot access parent
directories: Permission denied

but those parent folders have the x bit set for other all the way to /
so what's holding it back then?

-- 
Didier Godefroy
mailto:dg@ulysium.net


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message