On 6/7/06, reader@xxxxxxxxxxx <reader@xxxxxxxxxxx> wrote:
"Joshua Slive" <joshua@xxxxxxxx> writes: > Check the group ownership. If the apache user is in the group that > owns suexec, then group execute permissions are enough. Ahh yes it was set `root apache' but when I do that on my home setup then I an execute cgi in public_html as user but as my program tries to access other files it fails. That is: -rwx--x--- 1 root apache 10880 May 31 15:09 /usr/sbin/suexec2 I can execute cgi but later on in the running program I get errors like this: Exception 435: unable to open image `image-cache/Sample Album/Orange Flower_disp100.jpg': Permission denied at /idsShared.pm line 696. But with: -rwx--x--x 1 root root 10880 May 31 15:09 /usr/sbin/suexec2 It works fine. All that changed is the permission shown above. Does require an apache restart.
You lost the suid "s" bit somewhere along the way. Without this, suexec doesn't do anything. As to your question of whether it is more secure to run with only the group execute bit, it doesn't make much difference in the case of suexec because the binary will exit if it isn't called by the specific user/group registered at compile-time. Joshua. --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|