You are viewing a plain text version of this content. The canonical link for it is here.

Posted to apache-bugdb@apache.org by Tyler Allison <al...@nas.nasa.gov> on 1997/07/26 00:50:02 UTC

mod_cgi/918: if not using suexec, apache forces user to use server gid/uid settings

>Number:         918
>Category:       mod_cgi
>Synopsis:       if not using suexec, apache forces user to use server gid/uid settings
>Confidential:   no
>Severity:       critical
>Priority:       medium
>Responsible:    apache (Apache HTTP Project)
>State:          open
>Class:          sw-bug
>Submitter-Id:   apache
>Arrival-Date:   Fri Jul 25 15:50:01 1997
>Originator:     allison@nas.nasa.gov
>Organization:
apache
>Release:        1.2.1
>Environment:
Environment is not an issue
>Description:
If I do not wish to use suexec, but instead use our own cgiwrap program that
enforces more strict control on cgi scripts, I must comment out the below 
section from mod_cgi because it forces the user to set the cgi scripts as the
same gid/uid of the server.

    if (!suexec_enabled) {
        if (!can_exec(&r->finfo))
            return log_scripterror(r, conf, FORBIDDEN,
                                   "file permissions deny server execution");
    }

>How-To-Repeat:
Dont use suexec and try and execute a cgi script as some other uid/gid than the
server.
>Fix:
Yes!
Please make this "force user to use same uid/gid as server" a compile time option
>Audit-Trail:
>Unformatted: