You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by "John T. Stucki" <js...@stern.nyu.edu> on 2003/11/06 15:58:32 UTC
[users@httpd] suEXEC to execute CGI programs as the user to which the request is
being directed
Ok, I have thoroughly read through the Apache 2.x suexec doc and tried
numerous different things to get the following working. Please help.
User directories:
The suEXEC wrapper can also be used to execute CGI programs as the user
to which the request is being directed. This is accomplished by using
the "~" character prefixing the user ID for whom execution is desired.
The only requirement needed for this feature to work is for CGI
execution to be enabled for the user and that the script must meet the
scrutiny of the security checks above.
As the above states I should be able to configure suexec to do following:
when this cgi script is run:
http://myserver/~userA/test.cgi
the test.cgi process is run as userA
and
when this cgi script is run:
http://myserver/~userB/test.cgi
the test.cgi process is run as userB
right??? but how do I configure it to do that?
When I do this:
SuexecUserGroup ~ nogroup
I get this:
httpd: bad user name ~
And if I use "SuexecUserGroup nobody nogroup" the configuration is
static and all cgis are run as the same user which defeats the purpose
of suexec which is to prevent user's from modifying each other's cgi data.
Here's some additional info:
I'm running Apache apache-2.0.47 on Solaris 9
suexec -V
-D AP_DOC_ROOT="/web/pages"
-D AP_GID_MIN=100
-D AP_HTTPD_USER="apache"
-D AP_LOG_EXEC="castor-suexec.log"
-D AP_SAFE_PATH="/usr/local/bin:/usr/bin:/bin"
-D AP_UID_MIN=100
-D AP_USERDIR_SUFFIX="public_html"
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] suEXEC to execute CGI programs as the user to which
the request is being directed
Posted by "John T. Stucki" <js...@stern.nyu.edu>.
Actually I got it, I had to change the default group of my user in the
password file. Thanks Joshua.
John T. Stucki wrote:
> Thanks, but...
>
> Ok, so I took out the SuexecUserGroup directive, but now I get this:
> [2003-11-06 11:50:47]: uid: (73503/localuser) gid: (1/1) cmd: cgi1.pl
> [2003-11-06 11:50:47]: cannot run as forbidden gid (1/cgi1.pl)
>
> If I can't use SuexecUserGroup I can't set the gid, If I use
> SuexecUserGroup I can't get it to use the user's uid. Seems like I'm
> stuck between a rock and a hard place.
>
> Here's additional info:
> # ls -al
> drwxr-xr-x 2 localuser nogroup 512 Nov 4 22:51 .
> drwxr-xr-x 3 localuser apache 512 Nov 4 22:51 ..
> -rw-r--r-- 1 localuser nogroup 3088 Nov 6 11:31 castor-suexec.log
> -rwxr-xr-x 1 localuser nogroup 133 Nov 4 19:42 cgi1.pl
>
> # ./apachectl -V
> Server version: Apache/2.0.47
> Server built: Nov 3 2003 15:45:19
> Server's Module Magic Number: 20020903:4
> Architecture: 32-bit
> Server compiled with....
> -D APACHE_MPM_DIR="server/mpm/prefork"
> -D APR_HAS_SENDFILE
> -D APR_HAS_MMAP
> -D APR_HAVE_IPV6 (IPv4-mapped addresses enabled)
> -D APR_USE_PROC_PTHREAD_SERIALIZE
> -D APR_USE_PTHREAD_SERIALIZE
> -D SINGLE_LISTEN_UNSERIALIZED_ACCEPT
> -D APR_HAS_OTHER_CHILD
> -D AP_HAVE_RELIABLE_PIPED_LOGS
> -D HTTPD_ROOT="/usr/local/apache-2.0.47"
> -D SUEXEC_BIN="/usr/local/apache-2.0.47/bin/suexec"
> -D DEFAULT_PIDLOG="logs/httpd.pid"
> -D DEFAULT_SCOREBOARD="logs/apache_runtime_status"
> -D DEFAULT_LOCKFILE="logs/accept.lock"
> -D DEFAULT_ERRORLOG="logs/error_log"
> -D AP_TYPES_CONFIG_FILE="conf/mime.types"
> -D SERVER_CONFIG_FILE="conf/httpd.conf"
>
>
>
> Joshua Slive wrote:
>
>> On Thu, 6 Nov 2003, John T. Stucki wrote:
>>
>>> when this cgi script is run:
>>> http://myserver/~userA/test.cgi
>>> the test.cgi process is run as userA
>>>
>>> and
>>>
>>> when this cgi script is run:
>>> http://myserver/~userB/test.cgi
>>> the test.cgi process is run as userB
>>>
>>> right??? but how do I configure it to do that?
>>>
>>> When I do this:
>>> SuexecUserGroup ~ nogroup
>>> I get this:
>>> httpd: bad user name ~
>>
>>
>>
>> You don't need to use the SuexecUserGroup directive. User directories
>> are
>> handled automatically by mod_userdir and suexec.
>>
>>
>>> Here's some additional info:
>>> I'm running Apache apache-2.0.47 on Solaris 9
>>> suexec -V
>>> -D AP_DOC_ROOT="/web/pages"
>>> -D AP_GID_MIN=100
>>> -D AP_HTTPD_USER="apache"
>>> -D AP_LOG_EXEC="castor-suexec.log"
>>> -D AP_SAFE_PATH="/usr/local/bin:/usr/bin:/bin"
>>> -D AP_UID_MIN=100
>>> -D AP_USERDIR_SUFFIX="public_html"
>>
>>
>>
>> And what do you get from apachectl -V?
>>
>> Joshua.
>>
>> ---------------------------------------------------------------------
>> The official User-To-User support forum of the Apache HTTP Server
>> Project.
>> See <URL:http://httpd.apache.org/userslist.html> for more info.
>> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>> " from the digest: users-digest-unsubscribe@httpd.apache.org
>> For additional commands, e-mail: users-help@httpd.apache.org
>>
>
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] suEXEC to execute CGI programs as the user to
which the request is being directed
Posted by Joshua Slive <jo...@slive.ca>.
On Thu, 6 Nov 2003, John T. Stucki wrote:
> Thanks, but...
>
> Ok, so I took out the SuexecUserGroup directive, but now I get this:
> [2003-11-06 11:50:47]: uid: (73503/localuser) gid: (1/1) cmd: cgi1.pl
> [2003-11-06 11:50:47]: cannot run as forbidden gid (1/cgi1.pl)
>
> If I can't use SuexecUserGroup I can't set the gid, If I use
> SuexecUserGroup I can't get it to use the user's uid. Seems like I'm
> stuck between a rock and a hard place.
Apache uses getpwnam() to grab the userid and groupid for the specified
username. For your user, the group id assigned in the user database
(/etc/password or whatever your os uses) is 1. This is not a good thing.
You can fix it by changing the group assigned to that user in your OS user
database.
Joshua.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] suEXEC to execute CGI programs as the user to which
the request is being directed
Posted by "John T. Stucki" <js...@stern.nyu.edu>.
Thanks, but...
Ok, so I took out the SuexecUserGroup directive, but now I get this:
[2003-11-06 11:50:47]: uid: (73503/localuser) gid: (1/1) cmd: cgi1.pl
[2003-11-06 11:50:47]: cannot run as forbidden gid (1/cgi1.pl)
If I can't use SuexecUserGroup I can't set the gid, If I use
SuexecUserGroup I can't get it to use the user's uid. Seems like I'm
stuck between a rock and a hard place.
Here's additional info:
# ls -al
drwxr-xr-x 2 localuser nogroup 512 Nov 4 22:51 .
drwxr-xr-x 3 localuser apache 512 Nov 4 22:51 ..
-rw-r--r-- 1 localuser nogroup 3088 Nov 6 11:31 castor-suexec.log
-rwxr-xr-x 1 localuser nogroup 133 Nov 4 19:42 cgi1.pl
# ./apachectl -V
Server version: Apache/2.0.47
Server built: Nov 3 2003 15:45:19
Server's Module Magic Number: 20020903:4
Architecture: 32-bit
Server compiled with....
-D APACHE_MPM_DIR="server/mpm/prefork"
-D APR_HAS_SENDFILE
-D APR_HAS_MMAP
-D APR_HAVE_IPV6 (IPv4-mapped addresses enabled)
-D APR_USE_PROC_PTHREAD_SERIALIZE
-D APR_USE_PTHREAD_SERIALIZE
-D SINGLE_LISTEN_UNSERIALIZED_ACCEPT
-D APR_HAS_OTHER_CHILD
-D AP_HAVE_RELIABLE_PIPED_LOGS
-D HTTPD_ROOT="/usr/local/apache-2.0.47"
-D SUEXEC_BIN="/usr/local/apache-2.0.47/bin/suexec"
-D DEFAULT_PIDLOG="logs/httpd.pid"
-D DEFAULT_SCOREBOARD="logs/apache_runtime_status"
-D DEFAULT_LOCKFILE="logs/accept.lock"
-D DEFAULT_ERRORLOG="logs/error_log"
-D AP_TYPES_CONFIG_FILE="conf/mime.types"
-D SERVER_CONFIG_FILE="conf/httpd.conf"
Joshua Slive wrote:
> On Thu, 6 Nov 2003, John T. Stucki wrote:
>
>>when this cgi script is run:
>>http://myserver/~userA/test.cgi
>>the test.cgi process is run as userA
>>
>>and
>>
>>when this cgi script is run:
>>http://myserver/~userB/test.cgi
>>the test.cgi process is run as userB
>>
>>right??? but how do I configure it to do that?
>>
>>When I do this:
>>SuexecUserGroup ~ nogroup
>>I get this:
>>httpd: bad user name ~
>
>
> You don't need to use the SuexecUserGroup directive. User directories are
> handled automatically by mod_userdir and suexec.
>
>
>>Here's some additional info:
>>I'm running Apache apache-2.0.47 on Solaris 9
>>suexec -V
>> -D AP_DOC_ROOT="/web/pages"
>> -D AP_GID_MIN=100
>> -D AP_HTTPD_USER="apache"
>> -D AP_LOG_EXEC="castor-suexec.log"
>> -D AP_SAFE_PATH="/usr/local/bin:/usr/bin:/bin"
>> -D AP_UID_MIN=100
>> -D AP_USERDIR_SUFFIX="public_html"
>
>
> And what do you get from apachectl -V?
>
> Joshua.
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] suEXEC to execute CGI programs as the user to
which the request is being directed
Posted by Joshua Slive <jo...@slive.ca>.
On Thu, 6 Nov 2003, John T. Stucki wrote:
> when this cgi script is run:
> http://myserver/~userA/test.cgi
> the test.cgi process is run as userA
>
> and
>
> when this cgi script is run:
> http://myserver/~userB/test.cgi
> the test.cgi process is run as userB
>
> right??? but how do I configure it to do that?
>
> When I do this:
> SuexecUserGroup ~ nogroup
> I get this:
> httpd: bad user name ~
You don't need to use the SuexecUserGroup directive. User directories are
handled automatically by mod_userdir and suexec.
> Here's some additional info:
> I'm running Apache apache-2.0.47 on Solaris 9
> suexec -V
> -D AP_DOC_ROOT="/web/pages"
> -D AP_GID_MIN=100
> -D AP_HTTPD_USER="apache"
> -D AP_LOG_EXEC="castor-suexec.log"
> -D AP_SAFE_PATH="/usr/local/bin:/usr/bin:/bin"
> -D AP_UID_MIN=100
> -D AP_USERDIR_SUFFIX="public_html"
And what do you get from apachectl -V?
Joshua.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org