Re: mod_cgi/918: if not using suexec, apache forces user to use server gid/uid settings

[Randy Terbush <ra...@zyzzyva.com>]

> No.  The server looks at the permissions on the script that suexec will
> execute, not the permissions on suexec.  Since when suexec eventually gets
> around to running the script, it will probably be as a different UID,
> checking based on the view of the user who runs suexec doesn't make sense.
> 
> The code could be expanded to know what user will be passed to suexec, but
> it hasn't been.

Correct. This had been brought up during 1.2 beta and I _thought_ 
was fixed. 

Index: util.c
===================================================================
RCS file: /export/home/cvs/apache/src/util.c,v
retrieving revision 1.64
diff -u -3 -r1.64 util.c
--- util.c	1997/07/21 05:53:52	1.64
+++ util.c	1997/07/27 18:47:54
@@ -993,7 +993,7 @@
     return (x ? 1 : 0);  /* If the first character is ':', it's broken, too */
 }
 
-API_EXPORT(int) can_exec(const struct stat *finfo) {
+API_EXPORT(int) can_exec(const request_rec *r) {
 #ifdef MULTIPLE_GROUPS
   int cnt;
 #endif
@@ -1001,20 +1001,20 @@
     /* OS/2 dosen't have Users and Groups */
     return 1;
 #else    
-    if(user_id == finfo->st_uid)
-        if(finfo->st_mode & S_IXUSR)
+    if(r->server->server_uid == r->finfo.st_uid)
+        if(r->finfo.st_mode & S_IXUSR)
             return 1;
-    if(group_id == finfo->st_gid)
-        if(finfo->st_mode & S_IXGRP)
+    if(r->server->server_gid == r->finfo.st_gid)
+        if(r->finfo.st_mode & S_IXGRP)
             return 1;
 #ifdef MULTIPLE_GROUPS
     for(cnt=0; cnt < NGROUPS_MAX; cnt++) {
-        if(group_id_list[cnt] == finfo->st_gid)
-            if(finfo->st_mode & S_IXGRP)
+        if(group_id_list[cnt] == r->finfo.st_gid)
+            if(r->finfo.st_mode & S_IXGRP)
                 return 1;
     }
 #endif
-    return (finfo->st_mode & S_IXOTH);
+    return (r->finfo.st_mode & S_IXOTH);
 #endif    
 }
 
Index: mod_cgi.c
===================================================================
RCS file: /export/home/cvs/apache/src/mod_cgi.c,v
retrieving revision 1.50
diff -u -3 -r1.50 mod_cgi.c
--- mod_cgi.c	1997/07/24 04:23:59	1.50
+++ mod_cgi.c	1997/07/27 18:48:13
@@ -394,7 +394,7 @@
 			       "script not found or unable to stat");
 #endif
     if (!suexec_enabled) {
-        if (!can_exec(&r->finfo))
+        if (!can_exec(r))
             return log_scripterror(r, conf, FORBIDDEN,
                                    "file permissions deny server execution");
     }
Index: httpd.h
===================================================================
RCS file: /export/home/cvs/apache/src/httpd.h,v
retrieving revision 1.132
diff -u -3 -r1.132 httpd.h
--- httpd.h	1997/07/23 00:09:02	1.132
+++ httpd.h	1997/07/27 18:48:37
@@ -751,7 +751,7 @@
 API_EXPORT(uid_t) uname2id(const char *name);
 API_EXPORT(gid_t) gname2id(const char *name);
 API_EXPORT(int) is_directory(const char *name);
-API_EXPORT(int) can_exec(const struct stat *);     
+API_EXPORT(int) can_exec(const request_rec *r);     
 API_EXPORT(void) chdir_file(const char *file);
      
 char *get_local_host(pool *);



> 
> On Sat, 26 Jul 1997, Dean Gaudet wrote:
> 
> > On Sat, 26 Jul 1997, Marc Slemko wrote:
> > > No.  can_exec just doesn't know about magic user ID changes like those
> > > that happen using suexec or some other wrapper.  It checks to see if it
> > > can be execed given the user ID the server is running as now.  
> > 
> > Um yes, well, what other uid is the server going to attempt to execute it
> > as? 
> > 
> > Am I totally confused?  I thought these things were setuid root (in the
> > case of suexec), or setuid user (in the case of cgiwrap).  In either case
> > the webserver needs permission to execute the file.  That's either group
> > or other x that needs to be set.
> > 
> > Dean
> > 
> > 

Re: mod_cgi/918: if not using suexec, apache forces user to use server gid/uid settings

[Dean Gaudet <dg...@arctic.org>]

On Sun, 27 Jul 1997, Randy Terbush wrote:

> Index: mod_cgi.c
> ===================================================================
> RCS file: /export/home/cvs/apache/src/mod_cgi.c,v
> retrieving revision 1.50
> diff -u -3 -r1.50 mod_cgi.c
> --- mod_cgi.c	1997/07/24 04:23:59	1.50
> +++ mod_cgi.c	1997/07/27 18:48:13
> @@ -394,7 +394,7 @@
>  			       "script not found or unable to stat");
>  #endif
>      if (!suexec_enabled) {
> -        if (!can_exec(&r->finfo))
> +        if (!can_exec(r))
>              return log_scripterror(r, conf, FORBIDDEN,
>                                     "file permissions deny server execution");
>      }

I think you mean:

-    if (!suexec_enabled) {
-        if (!can_exec(&r->finfo))
-            return log_scripterror(r, conf, FORBIDDEN,
-                                   "file permissions deny server execution");
-    }
+    if (!can_exec(&r->finfo))
+        return log_scripterror(r, conf, FORBIDDEN,
+                               "file permissions deny server execution");

At any rate the submitter of 918 is checking out what's really wrong.
It became a problem for him going from a late beta of 1.2 to 1.2.1.

Dean

Re: mod_cgi/918: if not using suexec, apache forces user to use server gid/uid settings

[Marc Slemko <ma...@worldgate.com>]

On Sun, 27 Jul 1997, Randy Terbush wrote:

> > No.  The server looks at the permissions on the script that suexec will
> > execute, not the permissions on suexec.  Since when suexec eventually gets
> > around to running the script, it will probably be as a different UID,
> > checking based on the view of the user who runs suexec doesn't make sense.
> > 
> > The code could be expanded to know what user will be passed to suexec, but
> > it hasn't been.
> 
> Correct. This had been brought up during 1.2 beta and I _thought_ 
> was fixed. 

What about userdir requests?  Your patch deals not with them?