www-apache-bugdb mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Nigel Cole <N.C...@sc98c.demon.co.uk>
Subject Re: mod_cgi/3784: CGI scripts not executed if gid not equal to server's gid
Date Wed, 21 Apr 1999 15:10:01 GMT
The following reply was made to PR mod_cgi/3784; it has been noted by GNATS.

From: Nigel Cole <N.Cole@sc98c.demon.co.uk>
To: dgaudet@apache.org
Cc: apbugs@apache.org
Subject: Re: mod_cgi/3784: CGI scripts not executed if gid not equal to server's gid
Date: Wed, 21 Apr 1999 16:07:30 +0100

 In message <19990421015120.12056.qmail@hyperreal.org>,
 dgaudet@apache.org writes
 >Are you still having this problem?
 >
 >MULTIPLE_GROUPS is in fact useless and should be removed... it
 >won't help you.
 >
 >The initgroups() call takes care of setting the groups.
 >
 >I have no problem with multiple groups ... you have to
 >start the server as root -- the geteuid() is necessary,
 >initgroups() won't succeed unless you do it as root.
 
 Yes, I'm still having this problem. Apache will not run a cgi-bin script
 that lacks world-execute permissions, unless the script is group-owned
 by the same group that the server is running as. This is with suexec
 disabled; OS is Solaris 2.6.
 
 The error message ("file permissions deny server execution") is being
 produced in mod_cgi.c because a call to ap_can_exec() is returning 0.
 Examining ap_can_exec() in util.c, if MULTIPLE_GROUPS is undefined, then
 group_id_list[] is never examined, and the only group test is:
         if (ap_group_id == finfo->st_gid)
                 if (finfo->st_mode & S_IXGRP)
                         return 1;
 
 MULTIPLE_GROUPS is not defined anywhere in the Apache source; the only
 occurrences I could find were all #ifdef MULTIPLE_GROUPS
 
 If MULTIPLE_GROUPS is defined, the server *can* execute the scripts, but
 then the second problem appears: the necessary array group_id_list is
 set with a call to getgroups, but only if the server is started as root.
 "initgroups" is not the problem - the problem is in the function
 "set_group_privs".
 
 -- 
 Nigel Cole

Mime
View raw message