Received: (qmail 16776 invoked by uid 2012); 4 Nov 1998 21:03:32 -0000 Message-Id: <19981104210332.16775.qmail@hyperreal.org> Date: 4 Nov 1998 21:03:32 -0000 From: Aaron Schlesinger Reply-To: aarons@advanced.org To: apbugs@hyperreal.org Subject: suEXEC compiles but does not wrap cgi's X-Send-Pr-Version: 3.2 >Number: 3342 >Category: suexec >Synopsis: suEXEC compiles but does not wrap cgi's >Confidential: no >Severity: serious >Priority: medium >Responsible: apache >State: closed >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: apache >Arrival-Date: Wed Nov 4 13:10:00 PST 1998 >Closed-Date: Thu Oct 26 15:33:03 PDT 2000 >Last-Modified: Thu Oct 26 15:33:03 PDT 2000 >Originator: aarons@advanced.org >Release: 1.3.3 >Organization: >Environment: Output of uname -a: IRIX64 dev99 6.5 05190003 IP27 Running on an SGI Origin 200 with 512 megs of ram. Running IRIX 6.5 >Description: I have made several attemps at compiling apache 1.3.3 and have not been able to get suEXEC to actually wrap cgi's. suexec is located in sbin, it is chmoded with the setuid bit, and httpd does recognize it's existance. However, when a cgi is executed, there is no evidence of the suexec doing its job, ie, the uid and gid is not changed. >How-To-Repeat: I'm not sure, as far as I can tell suexec no longer functions. >Fix: I wish :-) >Release-Note: >Audit-Trail: State-Changed-From-To: open-feedback State-Changed-By: marc State-Changed-When: Wed Nov 4 13:11:46 PST 1998 State-Changed-Why: Please give an example URL for a CGI you are trying to execute. You did read through the docs and are aware that it will only be used for CGIs that are either in a ~user directory or in a virtualhost with its own User and Group directives, right? From: Aaron Schlesinger To: marc@apache.org Cc: apbugs@apache.org Subject: Re: suexec/3342: suEXEC compiles but does not wrap cgi's Date: Wed, 04 Nov 1998 16:07:40 -0500 Yes, the test that I am using involves first a shell and then a perl script in a user directory. marc@apache.org wrote: > Synopsis: suEXEC compiles but does not wrap cgi's > > State-Changed-From-To: open-feedback > State-Changed-By: marc > State-Changed-When: Wed Nov 4 13:11:46 PST 1998 > State-Changed-Why: > Please give an example URL for a CGI you are trying to > execute. > > You did read through the docs and are aware that it will only > be used for CGIs that are either in a ~user directory or > in a virtualhost with its own User and Group directives, right? -- Aaron Schlesinger UNIX Systems Administrator Advanced Network & Services, Inc. Phone:+1 914/765-1176 200 Business Park Drive Cell:+1 914/319-8002 Armonk, NY 10504 USA Fax:+1 914/765-1177 From: Aaron Schlesinger To: marc@apache.org, apbugs@apache.org Cc: Subject: Re: suexec/3342: suEXEC compiles but does not wrap cgi's Date: Wed, 04 Nov 1998 16:24:14 -0500 you can try http://dev99.advanced.org/~12345/test.cgi its behind an htaccess protection, the username is 12345 and the password is 12345. marc@apache.org wrote: > [In order for any reply to be added to the PR database, ] > [you need to include in the Cc line ] > [and leave the subject line UNCHANGED. This is not done] > [automatically because of the potential for mail loops. ] > [If you do not include this Cc, your reply may be ig- ] > [nored unless you are responding to an explicit request ] > [from a developer. ] > [Reply only with text; DO NOT SEND ATTACHMENTS! ] > > Synopsis: suEXEC compiles but does not wrap cgi's > > State-Changed-From-To: open-feedback > State-Changed-By: marc > State-Changed-When: Wed Nov 4 13:11:46 PST 1998 > State-Changed-Why: > Please give an example URL for a CGI you are trying to > execute. > > You did read through the docs and are aware that it will only > be used for CGIs that are either in a ~user directory or > in a virtualhost with its own User and Group directives, right? -- Aaron Schlesinger UNIX Systems Administrator Advanced Network & Services, Inc. Phone:+1 914/765-1176 200 Business Park Drive Cell:+1 914/319-8002 Armonk, NY 10504 USA Fax:+1 914/765-1177 From: Marc Slemko To: Aaron Schlesinger Cc: Apache bugs database Subject: Re: suexec/3342: suEXEC compiles but does not wrap cgi's Date: Wed, 4 Nov 1998 22:48:58 -0800 (PST) On Wed, 4 Nov 1998, Aaron Schlesinger wrote: > you can try http://dev99.advanced.org/~12345/test.cgi That gives a 404 not found. Is Apache printing the suexec message in the error log? Why do you say the UID isn't being changed? From: Marc Slemko To: Aaron Schlesinger Cc: Apache bugs database Subject: Re: suexec/3342: suEXEC compiles but does not wrap cgi's Date: Thu, 5 Nov 1998 09:18:50 -0800 (PST) On Thu, 5 Nov 1998, Aaron Schlesinger wrote: > Try that link again, it should work. It links to a shell script which > prints: > I am `whoami`. No, it now gives a server error: 500 - Misconfiguration Today's Date and Time: Thursday, 05-Nov-1998 12:19:18 EST There has been an error or misconfiguration was encountered while attempting to complete your request. The file /usr/local/apache/share/htdocs/12345/./test.cgi returned an error. Please contact webmaster@betelgeuse if you feel there is a mistake or if you'd like to report this incident. Is there really a ~12345 user in your passwd file with a home directory of /usr/local/apache/share/htdocs/12345/./ ? Are you sure the /./ isn't causing problems? What is your UserDir directive set to? > Since we run our server as root for certain business related reasons, There are no valid "business related reasons" to run your server as root. That is not a supported configuration and is not secure in any way. State-Changed-From-To: feedback-closed State-Changed-By: slive State-Changed-When: Thu Oct 26 15:33:02 PDT 2000 State-Changed-Why: [This is a standard response.] No response from submitter, assuming issue has been resolved. >Unformatted: [In order for any reply to be added to the PR database, ] [you need to include in the Cc line ] [and leave the subject line UNCHANGED. This is not done] [automatically because of the potential for mail loops. ] [If you do not include this Cc, your reply may be ig- ] [nored unless you are responding to an explicit request ] [from a developer. ] [Reply only with text; DO NOT SEND ATTACHMENTS! ]