Re: SuExec issues

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On 2/14/07, Kövesdán Gábor <gabor.kovesdan@xxxxxxxxxxxx> wrote:


Thanks for the detailed explanation. I'm running php as CGI now, but
I've run into a strange issue.
Firstly, I got this message:
[2007-02-12 20:37:45]: cannot get docroot information (/usr/local/www/data)
I wondered why I get this, since the DocumentRoot is different for the
given VirtualHost, but I've modified the modes on this directory, and
this messgae vanished. The next one was:
[2007-02-12 20:39:34]: command not in docroot (/usr/local/bin/php-cgi)
I see, it is not in the above directory, but why is it necessary? How
can I avoid installing php there?
Ok, I copied the php-cgi binary there (symlinking did not work) and the
next one was:
[2007-02-12 20:45:23]: target uid/gid (1003/1003) mismatch with
directory (0/0) or program (1003/1003)
I still can solve it by chowning php-cgi, but one issue remained: if I
have e.g. 20 websites, how can I get all of them to work when it can
only be chowned to one of them? Besides, the external php modules did
not work for me with this solution.


You should start by carefully reading
http://httpd.apache.org/docs/2.2/suexec.html

But yes, this is going to be a problem.  Suexec will only run binaries
owned by the target user.  So you can install suexec for each user
(and if you do this properly, the external modules should work).  Or
you can look into one of the alternative suid cgi helpers like cgiwrap
and suphp.  They have different security models.  I haven't used
either of them, so I can't provide specific guidance.

You can think of suexec a little bit like running things chroot'ed.
It specifically forbids access to arbitrary binaries for security
reasons.  (Although it is not the same thing, since once suexec runs a
binary, that binary can run arbitrary binaries under the permissions
of the target user.)

Joshua.

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
  "   from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux