I have just patched SuEXEC, so it does not check the GID when
'SUEXEC_DONT_CHECK_GID' is defined.
A patch is included below. Please e-mail me when you notice any
errors. I am not very good at C, but I know the basics, so I'm quite
sure this'll work. Next problem is how to define
SUEXEC_DONT_CHECK_GID, I think it should be in include/ap_config.h,
which is, if I remember correctly, generated by configure, which is
generated by Autoconf, so I'll probably need to edit configure.in. Am
I right?
---------------------------
--- suexec.old.c 2007-11-21 12:09:39.000000000 +0100
+++ suexec.c 2007-11-21 12:20:38.000000000 +0100
@@ -564,9 +564,11 @@
* the name/group of the cwd or the program.
*/
if ((uid != dir_info.st_uid) ||
+#ifdef SUEXEC_DONT_CHECK_GID
(gid != dir_info.st_gid) ||
- (uid != prg_info.st_uid) ||
- (gid != prg_info.st_gid)) {
+ (gid != prg_info.st_gid) ||
+#endif /* SUEXEC_DONT_CHECK_GID */
+ (uid != prg_info.st_uid)) {
log_err("target uid/gid (%ld/%ld) mismatch "
"with directory (%ld/%ld) or program (%ld/%ld)\n",
uid, gid,
-------------------------
(After applying, the lines look like this:)
if ((uid != dir_info.st_uid) ||
#ifdef SUEXEC_DONT_CHECK_GID
(gid != dir_info.st_gid) ||
(gid != prg_info.st_gid) ||
#endif /* SUEXEC_DONT_CHECK_GID */
(uid != prg_info.st_uid)) {
Please let me know what you think about the patch, I'll apply it if I
don't receive negative comments (and after I've figured out how to
define SUEXEC_DONT_CHECK_GID).
Sjors
On Nov 20, 2007 9:02 PM, Sjors Gielen <sjorsgielen@xxxxxxxxx> wrote:
> Hi,
>
> After fiddling around with it for a while, I have set up an Apache
> server that uses SuPHP and SuEXEC to change its UID and GID when a
> request arrives. I think I should explain a bit about how the setup
> works before going on with the real question.
> I've got the following (important) groups on my system:
> fpanel contains all fPanel users (which is, all users corresponding to
> a virtualhost, see below)
> fpanel-www is Apaches group.
>
> Next to that, there are these (important) users:
> fdazjorz - There are a lot users like this one, but for now, I'll just
> use fdazjorz. fdazjorz is used when serving http://dazjorz.com/. It is
> in the 'fpanel' group.
> fpanel-www - Apaches user.
>
> Note that at the moment, the Apache server runs at port 81 (so that'd
> make http://dazjorz.com:81/), I won't repeat the :81 all the time, and
> it'll be 80 once this is all set up.
>
> I have set a rule for myself in setting up this Apache server: Only
> the owner and Apache may read the virtualhosts' contents. This means,
> for dazjorz.com, that only fdazjorz:fpanel and fpanel-www:fpanel-www
> may read the files. I've set up a complete hierarchy in /var/www so
> the contents are in /var/www/com/dazjorz/web/www. Next to that, I've
> set all directories in /var/www/{com,org,uk,nl} setgid fpanel-www, so
> when somebody creates a new file or directory, it automatically gets
> the group 'fpanel-www'. This way, only the owner and Apache can read
> the files.
>
> Here is also the real problem. Apache can read the files correctly,
> and so can the owner, and nobody else. Do any of you remember rule 18
> of SuEXEC ?
> # 18. Is the target user/group the same as the program's user/group?
> In my current configuration, the group is always fpanel-www, while
> SuEXEC changes group to fpanel (if it would change to fpanel-www, the
> scripts would be able to read all files having group fpanel-www).
>
> When I request a Perl file called lezen.pl, owned by
> fdazjorz:fpanel-www, I get this in my SuEXEC log:
> [2007-11-20 20:20:09]: uid: (1003/fdazjorz) gid: (1001/1001) cmd: lezen.pl
> [2007-11-20 20:20:09]: target uid/gid (1003/1001) mismatch with
> directory (1003/119) or program (1003/119)
>
> Now when I change the group of the whole dazjorz.com hierarchy tree
> (/var/www/com/dazjorz/web) to "fpanel" (note that everybody can read
> it now), Apache screams at me for not being able to read the .htaccess
> file, since it runs as fpanel-www.
>
> I see almost no way out of here, except running Apache as root:root,
> and letting it setuid/setgid later, or hacking SuEXEC to allow the
> script or directory to have a different group. What do you guys think
> about it? I'm really getting a headache here...
>
> Sjors
>
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
" from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|