You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@httpd.apache.org by Fabio Corazza <fa...@newbay.com> on 2006/10/03 13:58:26 UTC

[users@httpd] suEXEC verbosity

Hi everyone,
 we are using a CGI under Apache that is spawned under a different user
through mod_suexec.

Everything is fine except the verbosity of the suEXEC mechanism, which
writes a notice for every request that is passed to the CGI:

[2006-10-03 11:52:11]: uid: (501/tmctaux) gid: (501/501) cmd:
imagescaler.cgi
[2006-10-03 11:52:11]: notice: AP_SUEXEC_UMASK of 002 allows write
permission to group and/or other
[2006-10-03 11:52:11]: uid: (501/tmctaux) gid: (501/501) cmd:
imagescaler.cgi
[2006-10-03 11:52:11]: notice: AP_SUEXEC_UMASK of 002 allows write
permission to group and/or other

I'd like to get rid of those notices since in production this logfile
will become HUGE (we receive a LOT of requests to that CGI).

I couldn't find any directive that can adjust the verbosity of the
suexec_log file, so if you have a solution for this issue or either a
workaround I would greatly appreciate your help.




Regards,

-- 
Fabio Corazza - Engineering
NewBay Software, Ltd.
Wilson House, Fenian Street, Dublin 2, Ireland
Phone: +353 1 634 5490 - e-mail: fabio@newbay.com

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] suEXEC verbosity

Posted by Fabio Corazza <fa...@newbay.com>.

Joshua Slive wrote:
> On 10/3/06, Fabio Corazza <fa...@newbay.com> wrote:
> 
>> What it concerns me is: if I delete the logging of the transactions,
>> will suEXEC be able to open the log file if any other error happens?
> 
> Sorry, but I'm not going to give you advice on hacking suexec.  The
> consequences if I made a mistake or if you misinterpreted by advice
> would be too nasty.

I'm testing the "silenced" suexec on a test environment, so even if it
would be nasty, it wouldn't bother too much.

> So my advice would be, if you don't understand the suexec source code
> well enough to answer these questions yourself, you probably shouldn't
> be touching it.

I'll find some information around. Thanks anyway.



Regards,

-- 
Fabio Corazza - Engineering
NewBay Software, Ltd.
Wilson House, Fenian Street, Dublin 2, Ireland
Phone: +353 1 634 5490 - e-mail: fabio@newbay.com

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] suEXEC verbosity

Posted by Joshua Slive <jo...@slive.ca>.

On 10/3/06, Fabio Corazza <fa...@newbay.com> wrote:

> What it concerns me is: if I delete the logging of the transactions,
> will suEXEC be able to open the log file if any other error happens?

Sorry, but I'm not going to give you advice on hacking suexec.  The
consequences if I made a mistake or if you misinterpreted by advice
would be too nasty.

So my advice would be, if you don't understand the suexec source code
well enough to answer these questions yourself, you probably shouldn't
be touching it.

Joshua.

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] suEXEC verbosity

Posted by Fabio Corazza <fa...@newbay.com>.

Joshua Slive wrote:
> Those messages are generated within suexec and since suexec is not
> run-time configurable (for security reasons) they are not
> configurable.  You would need to edit the source code and recompile
> (being careful to heed the warnings about not messing with suexec
> unless you know what you are doing).
> 
> Joshua.

Ok, that's what I did. Inside suexec.c, I just commented the following code:

log_no_err("uid: (%s/%s) gid: (%s/%s) cmd: %s\n",
           target_uname, actual_uname,
           target_gname, actual_gname,
           cmd);

and:

if ((~AP_SUEXEC_UMASK) & 0022) {
    log_err("notice: AP_SUEXEC_UMASK of %03o allows "
             "write permission to group and/or other\n", AP_SUEXEC_UMASK);
   }

While the second one can be safe to delete (it's just a notice about the
umask, since I use the umask setting I don't want to be noticed in
regard of that), the first one may possibly cause some problems, since
the comment above it states:

    /*
     * Log the transaction here to be sure we have an open log
     * before we setuid().
     */

What it concerns me is: if I delete the logging of the transactions,
will suEXEC be able to open the log file if any other error happens?



Regards,

-- 
Fabio Corazza - Engineering
NewBay Software, Ltd.
Wilson House, Fenian Street, Dublin 2, Ireland
Phone: +353 1 634 5490 - e-mail: fabio@newbay.com

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] suEXEC verbosity

Posted by Joshua Slive <jo...@slive.ca>.

On 10/3/06, Fabio Corazza <fa...@newbay.com> wrote:
> Hi everyone,
>  we are using a CGI under Apache that is spawned under a different user
> through mod_suexec.
>
> Everything is fine except the verbosity of the suEXEC mechanism, which
> writes a notice for every request that is passed to the CGI:
>
> [2006-10-03 11:52:11]: uid: (501/tmctaux) gid: (501/501) cmd:
> imagescaler.cgi
> [2006-10-03 11:52:11]: notice: AP_SUEXEC_UMASK of 002 allows write
> permission to group and/or other
> [2006-10-03 11:52:11]: uid: (501/tmctaux) gid: (501/501) cmd:
> imagescaler.cgi
> [2006-10-03 11:52:11]: notice: AP_SUEXEC_UMASK of 002 allows write
> permission to group and/or other
>
> I'd like to get rid of those notices since in production this logfile
> will become HUGE (we receive a LOT of requests to that CGI).
>
> I couldn't find any directive that can adjust the verbosity of the
> suexec_log file, so if you have a solution for this issue or either a
> workaround I would greatly appreciate your help.

Those messages are generated within suexec and since suexec is not
run-time configurable (for security reasons) they are not
configurable.  You would need to edit the source code and recompile
(being careful to heed the warnings about not messing with suexec
unless you know what you are doing).

Joshua.

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] suEXEC verbosity

Posted by Fabio Corazza <fa...@newbay.com>.

Fabio Corazza wrote:
[snip]
> Everything is fine except the verbosity of the suEXEC mechanism, which
> writes a notice for every request that is passed to the CGI:
[snip]

With the help of a colleague we wrote a patch to get rid of excessive
verbosity of suEXEC, for whom they intend to run it on high-load web
servers with a lot of requests going through the invoked script (it may
be desirable not to have 4 lines printed to the log for every request).

Basically we suppress the output that is generated every time that the
script is invoked (we just open the file), and we suppress the umask
notice as well.

It didn't produce any nasty effect in our environment.

Any comment is appreciated.

Regards,

-- 
Fabio Corazza - Engineering
NewBay Software, Ltd.
Wilson House, Fenian Street, Dublin 2, Ireland
Phone: +353 1 634 5490 - e-mail: fabio@newbay.com