From nobody@hyperreal.com Mon Feb 24 16:39:32 1997 Received: by taz.hyperreal.com (8.8.4/V2.0) id QAA29417; Mon, 24 Feb 1997 16:39:32 -0800 (PST) Message-Id: <199702250039.QAA29417@taz.hyperreal.com> Date: Mon, 24 Feb 1997 16:39:32 -0800 (PST) From: Loren Schall Reply-To: schall@ateng.az.honeywell.com To: apbugs@hyperreal.com Subject: suexec loses group X-Send-Pr-Version: 3.2 >Number: 193 >Category: os-sunos >Synopsis: suexec loses group >Confidential: no >Severity: serious >Priority: medium >Responsible: apache >State: closed >Class: sw-bug >Submitter-Id: apache >Arrival-Date: Mon Feb 24 16:40:01 1997 >Last-Modified: Sun Apr 6 12:37:20 PDT 1997 >Originator: schall@ateng.az.honeywell.com >Organization: >Release: 1.2b7 >Environment: % uname -a SunOS swtech09 4.1.4 2 sun4m % gcc --version 2.7-96q3 % ldd `type -p httpd` -lc.1 => /usr/lib/libc.so.1.9 -ldl.1 => /usr/lib/libdl.so.1.0 >Description: In this configuration apparently getgrnam() and initgroups() use the same static space to hold group info. The call to initgroups() destroys the information pointed to by the local variable gr. >How-To-Repeat: With suexec configured, access a user cgi. >Fix: *** suexec.c.orig Thu Feb 20 18:20:40 1997 --- suexec.c Mon Feb 24 17:20:54 1997 *************** *** 222,227 **** --- 222,228 ---- char dwd[AP_MAXPATH]; /* docroot working directory */ struct passwd *pw; /* password entry holder */ struct group *gr; /* group entry holder */ + struct group gr_copy; /* group entry holder */ struct stat dir_info; /* directory info holder */ struct stat prg_info; /* program info holder */ *************** *** 295,300 **** --- 296,303 ---- log_err("invalid target group name: (%s)\n", target_gname); exit(106); } + gr_copy = *gr; + gr = &gr_copy; /* * Log the transaction here to be sure we have an open log %0 >Audit-Trail: State-Changed-From-To: open-analyzed State-Changed-By: marc State-Changed-When: Tue Feb 25 12:30:41 PST 1997 State-Changed-Why: Fix looks reasonable; will get patched. State-Changed-From-To: analyzed-closed State-Changed-By: marc State-Changed-When: Sun Apr 6 12:37:20 PDT 1997 State-Changed-Why: Fixed in revision 1.19 of suexec.c which will be available in the next beta. >Unformatted: