You are viewing a plain text version of this content. The canonical link for it is here.
Posted to bugs@httpd.apache.org by bu...@apache.org on 2004/10/03 17:51:25 UTC
DO NOT REPLY [Bug 31517] New: - suEXEC setuid check fails on OpenBSD

DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG 
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=31517>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND 
INSERTED IN THE BUG DATABASE.

http://issues.apache.org/bugzilla/show_bug.cgi?id=31517

suEXEC setuid check fails on OpenBSD

           Summary: suEXEC setuid check fails on OpenBSD
           Product: Apache httpd-2.0
           Version: 2.0.51
          Platform: PC
        OS/Version: Other
            Status: UNCONFIRMED
          Severity: Major
          Priority: Other
         Component: support
        AssignedTo: bugs@httpd.apache.org
        ReportedBy: justin.r.hall@gmail.com


In httpd-2.0.51 and httpd-2.0.52, suEXEC will not load under OpenBSD if compiled
in directly due to a faulty setuid check.

  $ ./configure --prefix=/usr/local/apache2 --exec-prefix=/usr/local/apache2
--bindir=/usr/local/apache2/bin --sbindir=/usr/local/apache2/sbin
--enable-layout=OpenBSD --enable-modules=all --enable-so --enable-ssl
--enable-rewrite --enable-autoindex --enable-suexec
--with-suexec-bin=/usr/local/apache2/sbin/suexec --with-suexec-caller=www
--with-suexec-docroot=/usr/local/apache2/cgi-bin --disable-ipv6 --with-ssl

$ /usr/local/apache2/sbin/httpd -V
Server version: Apache/2.0.52
Server built:   Oct  3 2004 09:25:52
Server's Module Magic Number: 20020903:9
Architecture:   32-bit
Server compiled with....
 -D APACHE_MPM_DIR="server/mpm/prefork"
 -D APR_HAS_MMAP
 -D APR_USE_SYSVSEM_SERIALIZE
 -D APR_USE_PTHREAD_SERIALIZE
 -D APR_HAS_OTHER_CHILD
 -D AP_HAVE_RELIABLE_PIPED_LOGS
 -D HTTPD_ROOT="/usr/local/apache2"
 -D SUEXEC_BIN="/usr/local/apache2/sbin/suexec"
 -D DEFAULT_PIDLOG="logs/httpd.pid"
 -D DEFAULT_SCOREBOARD="logs/apache_runtime_status"
 -D DEFAULT_LOCKFILE="logs/accept.lock"
 -D DEFAULT_ERRORLOG="logs/error_log"
 -D AP_TYPES_CONFIG_FILE="conf/mime.types"
 -D SERVER_CONFIG_FILE="conf/httpd.conf"

$ ls -lF /usr/local/apache2/sbin/suexec
-rwsr-x---  1 root  suexec  30529 Oct  3 09:28 /usr/local/apache2/sbin/suexec*

$ /usr/local/apache2/sbin/suexec -V
 -D AP_DOC_ROOT="/usr/local/apache2/cgi-bin"
 -D AP_GID_MIN=100
 -D AP_HTTPD_USER="www"
 -D AP_LOG_EXEC="/usr/local/apache2/logs/suexec_log"
 -D AP_SAFE_PATH="/usr/local/bin:/usr/bin:/bin"
 -D AP_UID_MIN=100
 -D AP_USERDIR_SUFFIX="public_html"

[httpd runs as user www, group suexec]:

$ ps auxwwww | grep httpd
www      10433  0.0  0.3  1936  1716 ??  I      9:29AM    0:00.01
/usr/local/apache2/sbin/httpd -k start

$ /usr/local/apache2/sbin/apachectl configtest
Warning: SuexecUserGroup directive requires SUEXEC wrapper.
Warning: SuexecUserGroup directive requires SUEXEC wrapper.
Warning: SuexecUserGroup directive requires SUEXEC wrapper.
Syntax OK

On lines 217 and 221 of httpd-2.0.52/os/unix/unixd.c :

/* since APR 0.9.5 */
#ifdef APR_USETID
    if ((wrapper.protection & APR_USETID) && wrapper.user == 0) {
#endif
        unixd_config.suexec_enabled = 1;
#ifdef APR_USETID
    }
#endif
}

...changed to the following (to disable the check):

/* since APR 0.9.5 */
#if 0
    if ((wrapper.protection & APR_USETID) && wrapper.user == 0) {
#endif
        unixd_config.suexec_enabled = 1;
#if 0
    }
#endif
}

...it then allows suexec to work fine once you rebuild. This is the case in
httpd-2.0.51 and httpd-2.0.52 on OpenBSD.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org