You are viewing a plain text version of this content. The canonical link for it is here.
Posted to apache-bugdb@apache.org by Loren Schall <sc...@ateng.az.honeywell.com> on 1997/02/25 01:40:03 UTC
os-sunos/193: suexec loses group
>Number: 193
>Category: os-sunos
>Synopsis: suexec loses group
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: gnats-admin (GNATS administrator)
>State: open
>Class: sw-bug
>Submitter-Id: apache
>Arrival-Date: Mon Feb 24 16:40:01 1997
>Originator: schall@ateng.az.honeywell.com
>Organization:
apache
>Release: 1.2b7
>Environment:
% uname -a
SunOS swtech09 4.1.4 2 sun4m
% gcc --version
2.7-96q3
% ldd `type -p httpd`
-lc.1 => /usr/lib/libc.so.1.9
-ldl.1 => /usr/lib/libdl.so.1.0
>Description:
In this configuration apparently getgrnam() and initgroups() use the
same static space to hold group info. The call to initgroups()
destroys the information pointed to by the local variable gr.
>How-To-Repeat:
With suexec configured, access a user cgi.
>Fix:
*** suexec.c.orig Thu Feb 20 18:20:40 1997
--- suexec.c Mon Feb 24 17:20:54 1997
***************
*** 222,227 ****
--- 222,228 ----
char dwd[AP_MAXPATH]; /* docroot working directory */
struct passwd *pw; /* password entry holder */
struct group *gr; /* group entry holder */
+ struct group gr_copy; /* group entry holder */
struct stat dir_info; /* directory info holder */
struct stat prg_info; /* program info holder */
***************
*** 295,300 ****
--- 296,303 ----
log_err("invalid target group name: (%s)\n", target_gname);
exit(106);
}
+ gr_copy = *gr;
+ gr = &gr_copy;
/*
* Log the transaction here to be sure we have an open log
%0
>Audit-Trail:
>Unformatted: