perl-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Stas Bekman <s...@stason.org>
Subject Re: [mp2] mod_perl test suite fails
Date Tue, 09 Dec 2003 17:25:19 GMT
Volker Kroll wrote:
> On Tue, 2003-12-09 at 00:09, Stas Bekman wrote:
> 
>>[Volker has sent me the long output offline, so I'm just quoting the 
>>interesting parts here]
>>
>>
>>>>I also want to see the console messages (not error_log) when you run 
>>>>from under /root/mod_perl-1.99_11/ as you did it in first place.
>>
>> > ulimit -c unlimited; t/TEST -bugreport -verbose=0
>> > *** root mode: changing the files ownership to 'nobody' (99:99)
>> > *** /usr/bin/perl -e '     require POSIX;     POSIX::setuid(99);
>> > POSIX::setgid(99);     print -r q{/root/mod_perl-1.99_11/t} &&  -w _
&&
>> > -x _ ? q{OK} : q{NOK}; '
>> >
>> > *** result: OK
>>
>>That explains the problem. My test to check whether user 'nobody' will be able 
>>to access files under /root seems to pass, but when Apache starts as nobody it 
>>doesn't.
>>
>>Can you please show us the perms of your /root directory? e.g. on my machine it's:
>>
>>drwx------   43 root     root         4096 Dec  8 14:31 root
> 
> drwxr-x---   19 root     root         4096 Dec  8 19:11 root
> (Bad permissions for a root directory, but it is default on fedora core.
> 
> 
>>% grep nobody /etc/passwd
> 
> nobody:x:99:99:Nobody:/:/sbin/nologin

is it possible that nobody is in the the root group?

>>May be POSIX::setuid(99) fails? Does running the following as root:
>>
>>% /usr/bin/perl -le 'require POSIX; POSIX::setuid(99); POSIX::setgid(99); \
>>   print -r q{/root} &&  -w _ && -x _ ? q{OK} : q{NOK}; '
>>
>>gives you:
>>
>>OK?
> 
> 
> Yes it does.

How about:

% su - nobody
% perl -le 'print -r q{/root} &&  -w _ && -x _ ? q{OK} : q{NOK}; '

>>If it does, the following will probably fail too:
>>
>>perl -le 'require POSIX; POSIX::setuid(99) or die "failed to run: $@";'
> 
> 
> no error/ no output with this line.

OK, so POSIX::setuid(99) is not failing.

>>and this?
>>
>>% /usr/bin/perl -le 'require POSIX;  \
>>   POSIX::setuid(99) or die "NOK"; \
>>   POSIX::setgid(99) or die "NOK"; \
>>   print -r q{/root} &&  -w _ && -x _ ? q{OK} : q{NOK}; '
> 
> gives OK

So you see, a user 'nobody' somehow can read, write and execute things in the 
/root directory. So either something is horribly broken on your system, or 
POSIX::setuid is failing silently and the test is still running as root and 
therefore succeeds. The 'su - nobody' test above should give us the answer 
where the fault is.



__________________________________________________________________
Stas Bekman            JAm_pH ------> Just Another mod_perl Hacker
http://stason.org/     mod_perl Guide ---> http://perl.apache.org
mailto:stas@stason.org http://use.perl.org http://apacheweek.com
http://modperlbook.org http://apache.org   http://ticketmaster.com


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@perl.apache.org
For additional commands, e-mail: dev-help@perl.apache.org


Mime
View raw message