You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by "David A. Gershman" <ge...@etc.rsc.raytheon.com> on 2003/10/13 21:37:08 UTC
[users@httpd] CGI File Permissions...(not trivial question)
Hello,
I've searched and searched with no prevail for an answer. Yes, my
question is on CGI script file permissions, but it is not a trivial one.
Background:
* apache 1.3.28 running as user 'apache' and group 'apache'
* web docs and cgis owned as user 'www' and group 'www'.
* 'apache' is a member of group 'www'
My Goal:
To avoid modification of CGIs in the event of a web server exploit,
the CGIs are owned by 'www', but *should* be allowed to run via proper
file permissions.
I have the following script:
#!/usr/bin/perl
print "Content-type: text/plain\n\n";
print `id`;
It is owned by 'www' as the following:
-rwxr-x--- 1 www www 144 Oct 13 11:40 index.pl*
If I log in as 'apache' I can successfully run this script (since
'apache' is a member of 'www' ). However, when I try and run the script
from the web, I get a Forbidden message with the log file saying:
file permissions deny server execution: /var/www/cgi-bin/index.pl
Notice the perms are 750. When I change them to 755, the script runs
fine with the following output:
uid=503(apache) gid=503(apache)groups=503(apache), 504(www)
As you can see, apache *is* in the 'www' group even according to the
script, but when the file permissions do *not* allow "other", the script
cannot be run.
FYI, I have normal .html files setup the same way: owned by 'www'/'www'
and chmod 640. They're displayed via the web just fine.
Question: Why won't the script run with restricted permissions? If this
is some sort of security feature...why? What risk am I not seeing???
Thanks.
--
David A. Gershman
ETC Sys Admin
gershman@etc.rsc.raytheon.com
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] CGI File Permissions...(not trivial question)
Posted by Kirk Bailey <id...@netzero.net>.
needs to be readable by ann and sundry, executable alone is not enough. Try 755.
Also, what identity is apache running as? Nornmally, it is 'nobody'. If the
first suggestion barks like a dog, try changing ownership to 'nobody:nobody'.
755 is really the permission of preference. ALs, check the cgi-bin directory's
permissions and ownerships!
David A. Gershman wrote:
> Hello,
>
> I've searched and searched with no prevail for an answer. Yes, my
> question is on CGI script file permissions, but it is not a trivial one.
>
> Background:
>
> * apache 1.3.28 running as user 'apache' and group 'apache'
> * web docs and cgis owned as user 'www' and group 'www'.
> * 'apache' is a member of group 'www'
>
> My Goal:
>
> To avoid modification of CGIs in the event of a web server exploit,
> the CGIs are owned by 'www', but *should* be allowed to run via proper
> file permissions.
>
> I have the following script:
> #!/usr/bin/perl
> print "Content-type: text/plain\n\n";
> print `id`;
>
> It is owned by 'www' as the following:
> -rwxr-x--- 1 www www 144 Oct 13 11:40 index.pl*
>
> If I log in as 'apache' I can successfully run this script (since
> 'apache' is a member of 'www' ). However, when I try and run the script
> from the web, I get a Forbidden message with the log file saying:
>
> file permissions deny server execution: /var/www/cgi-bin/index.pl
>
> Notice the perms are 750. When I change them to 755, the script runs
> fine with the following output:
>
> uid=503(apache) gid=503(apache)groups=503(apache), 504(www)
>
>
> As you can see, apache *is* in the 'www' group even according to the
> script, but when the file permissions do *not* allow "other", the script
> cannot be run.
>
> FYI, I have normal .html files setup the same way: owned by 'www'/'www'
> and chmod 640. They're displayed via the web just fine.
>
> Question: Why won't the script run with restricted permissions? If this
> is some sort of security feature...why? What risk am I not seeing???
>
> Thanks.
>
> --
> David A. Gershman
> ETC Sys Admin
> gershman@etc.rsc.raytheon.com
>
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>
>
--
--
end
Cheers!
Kirk D Bailey
+ think +
http://www.howlermonkey.net +-----+ http://www.tinylist.org
http://www.listville.net | BOX | http://www.sacredelectron.org
Thou art free"-ERIS +-----+ 'Got a light?'-Prometheus
+ kniht +
Fnord.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] CGI File Permissions...(not trivial question)
Posted by Nikolaus Schmitt <n....@scaet.de>.
Hi David,
read this: http://httpd.apache.org/docs/suexec.html,
http://httpd.apache.org/docs-2.0/suexec.html
You'll find an answer and a proper solution.
Regards
Niko
----- Original Message -----
From: "David A. Gershman" <ge...@etc.rsc.raytheon.com>
To: <us...@httpd.apache.org>
Sent: Monday, October 13, 2003 9:37 PM
Subject: [users@httpd] CGI File Permissions...(not trivial question)
> Hello,
>
> I've searched and searched with no prevail for an answer. Yes, my
> question is on CGI script file permissions, but it is not a trivial one.
>
> Background:
>
> * apache 1.3.28 running as user 'apache' and group 'apache'
> * web docs and cgis owned as user 'www' and group 'www'.
> * 'apache' is a member of group 'www'
>
> My Goal:
>
> To avoid modification of CGIs in the event of a web server exploit,
> the CGIs are owned by 'www', but *should* be allowed to run via proper
> file permissions.
>
> I have the following script:
> #!/usr/bin/perl
> print "Content-type: text/plain\n\n";
> print `id`;
>
> It is owned by 'www' as the following:
> -rwxr-x--- 1 www www 144 Oct 13 11:40 index.pl*
>
> If I log in as 'apache' I can successfully run this script (since
> 'apache' is a member of 'www' ). However, when I try and run the script
> from the web, I get a Forbidden message with the log file saying:
>
> file permissions deny server execution: /var/www/cgi-bin/index.pl
>
> Notice the perms are 750. When I change them to 755, the script runs
> fine with the following output:
>
> uid=503(apache) gid=503(apache)groups=503(apache), 504(www)
>
>
> As you can see, apache *is* in the 'www' group even according to the
> script, but when the file permissions do *not* allow "other", the script
> cannot be run.
>
> FYI, I have normal .html files setup the same way: owned by 'www'/'www'
> and chmod 640. They're displayed via the web just fine.
>
> Question: Why won't the script run with restricted permissions? If this
> is some sort of security feature...why? What risk am I not seeing???
>
> Thanks.
>
> --
> David A. Gershman
> ETC Sys Admin
> gershman@etc.rsc.raytheon.com
>
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org