Mailing List Archive: Apache: Bugs

[Bug 42175] suexec_enabled set incorrectly when httpd is run by a non-root user

Index | Next | Previous | View Threaded

bugzilla at apache

Nov 17, 2009, 5:42 AM

Post #1 of 7 (531 views)
Permalink

[Bug 42175] suexec_enabled set incorrectly when httpd is run by a non-root user

https://issues.apache.org/bugzilla/show_bug.cgi?id=42175

--- Comment #2 from Dan Poirier <poirier [at] pobox> 2009-11-17 05:42:07 UTC ---
I guess this is the problem code in fcgi:

if (ap_unixd_config.suexec_enabled) {
if (getuid() != 0) {
ap_log_error(APLOG_MARK, APLOG_EMERG, 0, main_server,
"mod_fcgid: current user is not root while suexec
is enabled, exiting now");
exit(1);

Why not just test getuid()==0 in unixd.c when setting
suexec_enabled? That seems more direct than checking
access to the suexec program.

--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe [at] httpd
For additional commands, e-mail: bugs-help [at] httpd

bugzilla at apache

Nov 17, 2009, 10:18 AM

Post #2 of 7 (507 views)
Permalink

[Bug 42175] suexec_enabled set incorrectly when httpd is run by a non-root user [In reply to]

https://issues.apache.org/bugzilla/show_bug.cgi?id=42175

--- Comment #3 from Jim Radford <radford [at] blackbean> 2009-11-17 10:18:31 UTC ---
(In reply to comment #2)
> I guess this is the problem code in fcgi:

Yes.

> Why not just test getuid()==0 in unixd.c when setting
> suexec_enabled?

Because we are not running as root at this point even if the server was started
by root.

> That seems more direct than checking
> access to the suexec program.

I agree it seems odd, but I couldn't come up with either a lighter weight or
more direct solution. It just runs once at module load time.

--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe [at] httpd
For additional commands, e-mail: bugs-help [at] httpd

bugzilla at apache

Nov 17, 2009, 10:25 AM

Post #3 of 7 (506 views)
Permalink

[Bug 42175] suexec_enabled set incorrectly when httpd is run by a non-root user [In reply to]

https://issues.apache.org/bugzilla/show_bug.cgi?id=42175

--- Comment #4 from Dan Poirier <poirier [at] pobox> 2009-11-17 10:25:24 UTC ---
I wasn't sure when this code was run, but I tested it and if the server is
started as root, it's still running as root at the time this code is executed.
getuid() returns 0.

--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe [at] httpd
For additional commands, e-mail: bugs-help [at] httpd

bugzilla at apache

Nov 17, 2009, 11:02 AM

Post #4 of 7 (510 views)
Permalink

[Bug 42175] suexec_enabled set incorrectly when httpd is run by a non-root user [In reply to]

https://issues.apache.org/bugzilla/show_bug.cgi?id=42175

--- Comment #5 from Jim Radford <radford [at] blackbean> 2009-11-17 11:02:25 UTC ---
(In reply to comment #4)
> I wasn't sure when this code was run, but I tested it and if the server is
> started as root, it's still running as root at the time this code is executed.
> getuid() returns 0.

Looks like I was wrong about that; I get 0 in my setup too, so using getuid()
should be fine.

--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe [at] httpd
For additional commands, e-mail: bugs-help [at] httpd

bugzilla at apache

Nov 17, 2009, 11:11 AM

Post #5 of 7 (509 views)
Permalink

[Bug 42175] suexec_enabled set incorrectly when httpd is run by a non-root user [In reply to]

https://issues.apache.org/bugzilla/show_bug.cgi?id=42175

--- Comment #6 from Jim Radford <radford [at] blackbean> 2009-11-17 11:11:43 UTC ---
I think the reason I did access() instead of getuid() was that it was the more
direct. If someone didn't install susexec with the suid bit set, then the
access() would notice that whereas the getuid() wouldn't.

--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe [at] httpd
For additional commands, e-mail: bugs-help [at] httpd

bugzilla at apache

Nov 18, 2009, 10:13 AM

Post #6 of 7 (480 views)
Permalink

[Bug 42175] suexec_enabled set incorrectly when httpd is run by a non-root user [In reply to]

https://issues.apache.org/bugzilla/show_bug.cgi?id=42175

--- Comment #7 from Jim Radford <radford [at] blackbean> 2009-11-18 10:13:22 UTC ---
Would it help to get this fixed if I made a patch using getuid()?

--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe [at] httpd
For additional commands, e-mail: bugs-help [at] httpd

bugzilla at apache

Nov 18, 2009, 2:10 PM

Post #7 of 7 (488 views)
Permalink

[Bug 42175] suexec_enabled set incorrectly when httpd is run by a non-root user [In reply to]

https://issues.apache.org/bugzilla/show_bug.cgi?id=42175

--- Comment #8 from Dan Poirier <poirier [at] pobox> 2009-11-18 14:10:43 UTC ---
Maybe someone who better understands what suexec_enabled is intended for can
comment on whether the correct fix here is to get suexec_enabled turned off in
this case, or whether fcgi should be making this check in the first place?

--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe [at] httpd
For additional commands, e-mail: bugs-help [at] httpd

Index | Next | Previous | View Threaded

Interested in having your list archived? Contact Gossamer Threads