httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From André Malo ...@perlig.de>
Subject Re: [users@httpd] small Suexec problem
Date Fri, 09 May 2003 13:56:19 GMT
* <ldg@ulysium.net> wrote:

<snip explanations>

thanks.

> Now like I said, with suexec disabled, this script actually runs fine (it's
> just printing the environment)

Yep, the problem is inside suexec.

>> Are you manually able to switch to the directory as httpd user, su to root,
>> su to the script's desired user and `pwd`?
> 
> I can su to httpd, I did it from within apache's root folder
> (/usr/local/apache) and also in the apache/bin just in case, then I have no
> problem cd-ing to / /srv /srv/sites and all the way to the final script
> location of /srv/sites/p/paradox
> I can't do ls in that location of course, because the r bit isn't set, but I
> can do the pwd and get /srv/sites/p/paradox as it should be
> The pwd command uses the system call getcwd() doesn't it?

I'd guess.

> now I can't su to root from httpd, that's a security restriction of the su
> command on tru64 which only allows members of the system group to su root

Well, but the setuid bit works (otherwise suexec wouldn't run until the
error).

> but I can (with the password) su from httpd to the final user paradox in the
> script location, the only thing that doesn't work there is the pwd which
> gives the same error as suexec when trying to execute the script

ah!

> shell-init: could not get current directory: getcwd: cannot access parent
> directories: Permission denied
> 
> but those parent folders have the x bit set for other all the way to /
> so what's holding it back then?

I have the impression, getcwd goes from root up to the cwd, perhaps trying
to resolve symlinks or checking the path for other things. It seems you have
to make the parent directories readable for the user. Can you test it?
Does `man getcwd` on the system say something about such problems? (doesn't
on my linux box).

nd
-- 
>I have tried using ErrorDocument 401, but doesn't work.
                                           ^^^^^^^^^^^^^
Oh dear.  What does it do - lounge around on the couch all day drinking
beer and watching TV?            -- "Kash" und Alan J. Flavell in ciwsu

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message