You are viewing a plain text version of this content. The canonical link for it is here.

Posted to apache-bugdb@apache.org by Rob Saccoccio <ro...@InfiniteTechnology.com> on 1999/02/22 15:29:28 UTC

RE: general/2580: Apache won't run CGI scripts executable only by a supplementary group

This appears to still be a problem under Apache 1.3.4.  I'll restate:

initgroups() is called to initialize supplementary groups for Apache, but
when CGI scripts are exec'd a check is performed which prevents the use of
those supplementary group privileges to exec() the script (unless
MULTIPLE_GROUPS is defined).  This is problematic because the script is
still invoked with the supplementary groups defined, thus it can exec others
using those privileges (that Apache couldn't).

My recommendation is to remove the supplementary groups using setgroups()
after the fork() (unless MULTIPLE_GROUPS is defined).

  robs