You are viewing a plain text version of this content. The canonical link for it is here.
Posted to bugs@httpd.apache.org by bu...@apache.org on 2004/10/03 17:51:25 UTC
DO NOT REPLY [Bug 31517] New: -
suEXEC setuid check fails on OpenBSD
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=31517>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND
INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=31517
suEXEC setuid check fails on OpenBSD
Summary: suEXEC setuid check fails on OpenBSD
Product: Apache httpd-2.0
Version: 2.0.51
Platform: PC
OS/Version: Other
Status: UNCONFIRMED
Severity: Major
Priority: Other
Component: support
AssignedTo: bugs@httpd.apache.org
ReportedBy: justin.r.hall@gmail.com
In httpd-2.0.51 and httpd-2.0.52, suEXEC will not load under OpenBSD if compiled
in directly due to a faulty setuid check.
$ ./configure --prefix=/usr/local/apache2 --exec-prefix=/usr/local/apache2
--bindir=/usr/local/apache2/bin --sbindir=/usr/local/apache2/sbin
--enable-layout=OpenBSD --enable-modules=all --enable-so --enable-ssl
--enable-rewrite --enable-autoindex --enable-suexec
--with-suexec-bin=/usr/local/apache2/sbin/suexec --with-suexec-caller=www
--with-suexec-docroot=/usr/local/apache2/cgi-bin --disable-ipv6 --with-ssl
$ /usr/local/apache2/sbin/httpd -V
Server version: Apache/2.0.52
Server built: Oct 3 2004 09:25:52
Server's Module Magic Number: 20020903:9
Architecture: 32-bit
Server compiled with....
-D APACHE_MPM_DIR="server/mpm/prefork"
-D APR_HAS_MMAP
-D APR_USE_SYSVSEM_SERIALIZE
-D APR_USE_PTHREAD_SERIALIZE
-D APR_HAS_OTHER_CHILD
-D AP_HAVE_RELIABLE_PIPED_LOGS
-D HTTPD_ROOT="/usr/local/apache2"
-D SUEXEC_BIN="/usr/local/apache2/sbin/suexec"
-D DEFAULT_PIDLOG="logs/httpd.pid"
-D DEFAULT_SCOREBOARD="logs/apache_runtime_status"
-D DEFAULT_LOCKFILE="logs/accept.lock"
-D DEFAULT_ERRORLOG="logs/error_log"
-D AP_TYPES_CONFIG_FILE="conf/mime.types"
-D SERVER_CONFIG_FILE="conf/httpd.conf"
$ ls -lF /usr/local/apache2/sbin/suexec
-rwsr-x--- 1 root suexec 30529 Oct 3 09:28 /usr/local/apache2/sbin/suexec*
$ /usr/local/apache2/sbin/suexec -V
-D AP_DOC_ROOT="/usr/local/apache2/cgi-bin"
-D AP_GID_MIN=100
-D AP_HTTPD_USER="www"
-D AP_LOG_EXEC="/usr/local/apache2/logs/suexec_log"
-D AP_SAFE_PATH="/usr/local/bin:/usr/bin:/bin"
-D AP_UID_MIN=100
-D AP_USERDIR_SUFFIX="public_html"
[httpd runs as user www, group suexec]:
$ ps auxwwww | grep httpd
www 10433 0.0 0.3 1936 1716 ?? I 9:29AM 0:00.01
/usr/local/apache2/sbin/httpd -k start
$ /usr/local/apache2/sbin/apachectl configtest
Warning: SuexecUserGroup directive requires SUEXEC wrapper.
Warning: SuexecUserGroup directive requires SUEXEC wrapper.
Warning: SuexecUserGroup directive requires SUEXEC wrapper.
Syntax OK
On lines 217 and 221 of httpd-2.0.52/os/unix/unixd.c :
/* since APR 0.9.5 */
#ifdef APR_USETID
if ((wrapper.protection & APR_USETID) && wrapper.user == 0) {
#endif
unixd_config.suexec_enabled = 1;
#ifdef APR_USETID
}
#endif
}
...changed to the following (to disable the check):
/* since APR 0.9.5 */
#if 0
if ((wrapper.protection & APR_USETID) && wrapper.user == 0) {
#endif
unixd_config.suexec_enabled = 1;
#if 0
}
#endif
}
...it then allows suexec to work fine once you rebuild. This is the case in
httpd-2.0.51 and httpd-2.0.52 on OpenBSD.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org