httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Joshua Slive" <jos...@slive.ca>
Subject Re: [users@httpd] Re: When suexec won't log
Date Thu, 08 Jun 2006 00:08:00 GMT
On 6/7/06, reader@newsguy.com <reader@newsguy.com> wrote:
> "Joshua Slive" <joshua@slive.ca> writes:
>
> > Check the group ownership.  If the apache user is in the group that
> > owns suexec, then group execute permissions are enough.
>
>  Ahh yes it was set `root apache' but when I do that on my home setup
>  then I an execute cgi in public_html as user but as my program tries
>  to access other files it fails.
>
> That is:
> -rwx--x---  1 root apache 10880 May 31 15:09 /usr/sbin/suexec2
>
>  I can execute cgi but later on in the running program I get errors
>  like this:
>
> Exception 435: unable to open image `image-cache/Sample Album/Orange
>  Flower_disp100.jpg': Permission denied at /idsShared.pm line 696.
>
> But with:
>  -rwx--x--x  1 root root 10880 May 31 15:09 /usr/sbin/suexec2
>
> It works fine.  All that changed is the permission shown above.
>
> Does require an apache restart.

You lost the suid "s" bit somewhere along the way.  Without this,
suexec doesn't do anything.

As to your question of whether it is more secure to run with only the
group execute bit, it doesn't make much difference in the case of
suexec because the binary will exit if it isn't called by the specific
user/group registered at compile-time.

Joshua.

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message