You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@httpd.apache.org by Jochen Kächelin <jk...@linux.amsjk.de> on 2002/09/28 21:23:33 UTC

[users@httpd] i'am to stupid to configure suexec

Ok, after a lot of tests I'am sure:

I'am to stupid to configure suexec with Apache 2.0.40!!!!

I have the following:

RedHat 7.3
Apache 2.0.40
OpenSSL 0.96g
PHP 4.2.3 (modul)
....


My DocumentRoot is:

/www

There are 2 VirtualHosts:

/www/hosting/619/www.xxxx.de owened by User jochen Group jochen
/www/hosting/620/www.yyyy.de owened by User anna Group anna

I wan't that all users can run .cgi or .pl Scripts under there home
(/www/hosting/6xx/www.xxxx.de) and not only in a cgi-bin directory!

jochen  is  the  first  user  (uid=500,  gid=500) and apache runs as
nobody:nobody (uid:99, gid=99).

How  do  I have to compile apache that suexec works correct and that
there are no security holes in executing perl-scripts?

--enable-suexec \
--with-suexec-caller=99 \
--with-suexec-docroot=/www \
--with-suexec-uidmin=500 \
--with-suexec-gidmin=500

<VirtualHost xxx.xxx.xxx.xxx>
        DocumentRoot /www/hosting/619/www.xxxx.de
        ServerName www.xxx.de
        ErrorLog /www/logs/error.log
        TransferLog /www/logs/access.log
        SuexecUserGroup jochen jochen
</VirtualHost>

Is this ok???


-- 
Jochen Kaechelin


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re[2]: [users@httpd] i'am to stupid to configure suexec

Posted by Jochen Kächelin <jk...@linux.amsjk.de>.

SL>      #!/usr/bin/perl
SL>      print "Content-type: text/plain\n\n";
SL>      print "I am real uid $<, effective uid $>.\n";
SL>      print "I am real gid $(, effective gid $).\n";

SL> Real and effective should be the same here, I think.

I get the following when I run your script:

I am real uid 99, effective uid 99.
I am real gid 99 99, effective gid 99 99.

99  ist  the  uid  of nobody, gid 99 is group nobody - exactly under
what apache runs. But in the VirtualHost container there's

SuexecUserGroup jochen jochen   // uid = 500, gid = 500

Why must I use this directive?

Ok. Thanks.

-- 
Jochen Kaechelin
jk@linux.amsjk.de


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] i'am to stupid to configure suexec

Posted by Scott Lamb <sl...@slamb.org>.

Jochen Kächelin wrote:
> Do you also have the "LoadModule suexec_module modules/mod_suexec.so" line?
> 
> No, there's no line in my /etc/httpd/httpd.conf!
> 
> /usr/local/apache2/bin/httpd -l shows:
> 
> 
> Compiled in modules:
[...]
>   mod_suexec.c

Oh, okay. You don't need it, then.

> I'am looking for a script to test my configuration!
> 
> How  can  I  test under what user a perl-Script is running!

There are special variables in perl that describe the current uid and 
gid. Take a look at "perldoc perlvar" for details, but this should tell 
you what you want:

     #!/usr/bin/perl
     print "Content-type: text/plain\n\n";
     print "I am real uid $<, effective uid $>.\n";
     print "I am real gid $(, effective gid $).\n";

Real and effective should be the same here, I think.

If you want to be really sure, be sure to test some failure cases, too - 
a user below the minimum number, overly permissive permissions, etc. You 
should get an unhelpful error message when viewing the page and 
something more useful in suexec_log.

Scott

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re[2]: [users@httpd] i'am to stupid to configure suexec

Posted by Jochen Kächelin <jk...@linux.amsjk.de>.

Yes, everything there looks right for the configuration you've described.

 Mmmmh, sounds good!

Are the /www directories actually there or symlinks?

 They are actualla there!

Do you also have the "LoadModule suexec_module modules/mod_suexec.so" line?

No, there's no line in my /etc/httpd/httpd.conf!

/usr/local/apache2/bin/httpd -l shows:


Compiled in modules:
  core.c
  mod_access.c
  mod_auth.c
  mod_include.c
  mod_log_config.c
  mod_env.c
  mod_setenvif.c
  mod_ssl.c
  prefork.c
  http_core.c
  mod_mime.c
  mod_status.c
  mod_autoindex.c
  mod_asis.c
  mod_suexec.c
  mod_cgi.c
  mod_negotiation.c
  mod_dir.c
  mod_imap.c
  mod_actions.c
  mod_userdir.c
  mod_alias.c
  mod_so.c

Are you experiencing a problem, or do you just want confirmation that 
you have no blatant security hole?


I'am looking for a script to test my configuration!

How  can  I  test under what user a perl-Script is running!


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] i'am to stupid to configure suexec

Posted by Scott Lamb <sl...@slamb.org>.

Jochen Kächelin wrote:
> --enable-suexec \
> --with-suexec-caller=99 \
> --with-suexec-docroot=/www \
> --with-suexec-uidmin=500 \
> --with-suexec-gidmin=500
> 
> <VirtualHost xxx.xxx.xxx.xxx>
>         DocumentRoot /www/hosting/619/www.xxxx.de
>         ServerName www.xxx.de
>         ErrorLog /www/logs/error.log
>         TransferLog /www/logs/access.log
>         SuexecUserGroup jochen jochen
> </VirtualHost>
> 
> Is this ok???

Yes, everything there looks right for the configuration you've described.

Are the /www directories actually there or symlinks?

Do you also have the "LoadModule suexec_module modules/mod_suexec.so" line?

Are you experiencing a problem, or do you just want confirmation that 
you have no blatant security hole?

Scott


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re[2]: [users@httpd] i'am to stupid to configure suexec

Posted by Jochen Kächelin <jk...@linux.amsjk.de>.

SL> Jochen Kächelin wrote:
>> --enable-suexec \
>> --with-suexec-caller=99 \

SL> Looking again at the documentation, I think this line should be 
SL> "--with-suexec-caller=#99" (mind shell escaping when typing it; maybe \# 
SL> actually) or "--with-suexec-caller=nobody". It wants a username, unlike 
SL> the other two below.


Now I use the following:

--with-suexec-caller=nobody \
--with-suexec-docroot=/www \
--with-suexec-uidmin=500 \
--with-suexec-gidmin=500 \
--with-suexec-logfile=/usr/local/apache2/logs/suexec_log

and your testscript

#!/usr/bin/perl
print "Content-type: text/plain\n\n";
print "I am real uid $<, effective uid $>.\n";
print "I am real gid $(, effective gid $).\n";

shows:

I am real uid 500, effective uid 500.
I am real gid 500 500, effective gid 500 500.

Looks good, or??

-- 
Jochen


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] i'am to stupid to configure suexec

Posted by Scott Lamb <sl...@slamb.org>.

Jochen Kächelin wrote:
> --enable-suexec \
> --with-suexec-caller=99 \

Looking again at the documentation, I think this line should be 
"--with-suexec-caller=#99" (mind shell escaping when typing it; maybe \# 
actually) or "--with-suexec-caller=nobody". It wants a username, unlike 
the other two below.

> --with-suexec-docroot=/www \
> --with-suexec-uidmin=500 \
> --with-suexec-gidmin=500

Weird that suexec is just running with the original permissions. Have 
you looked in suexec_log?

Also, I believe this security model works best if you give Apache its 
own user and don't let anything else run for it. So its a little 
bothersome that you said "nobody", not "apache". You might consider 
changing that, though it's not what's causing your immediate problem.

Scott

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org