Thanks Cameron. I thought about this for a while. I didn't want to make any source modifications in case there was an update and overwrote my changes. In any case, I ended up changing the GID of users from 100 to 500 in /etc/groups and changed the user's default group in /etc/passwd from 100 to 500 and reset the ownerships on their files. Everything seems to be working now. Its odd because the scripts in /var/www/cgi-bin can be owned by anyone and run so that pretty much does away with the security precautions... ----- Ryan Golhar Computational Biologist The Informatics Institute at The University of Medicine & Dentistry of NJ Phone: 973-972-5034 Fax: 973-972-7412 Email: golharam@xxxxxxxxx -----Original Message----- From: Cameron Simpson [mailto:cs@xxxxxxxxxx] Sent: Sunday, April 04, 2004 4:56 AM To: golharam@xxxxxxxxx; General Red Hat Linux discussion list Subject: Re: Suexec: cannot run as forbidden guid On 22:37 01 Apr 2004, Ryan Golhar <golharam@xxxxxxxxx> wrote: | I have RedHat 9 running an a web server for several people. [...] They | have their own public_html directories with a cgi-bin directory as | well. All the users belong to the group 'users' with the GID of 100. | I started getting this error whenever a cgi script to called in the | suexec log: | | Uid: (501/golharam) gid: (100/100) cmd: test.cgi | Cannot run as forbidden gid (100/test.cgi) | | I created a new group called webapps with GID of 500 and chown'd the | cgi file to golharam:webapps but still get the error message. I'm not | even aware that I set up suexec. The Apache shipped with RedHat uses suexec. Which is quite handy. Suexec has a large number of sanity checks turned on in it, and one of these is a range check on the uid and gid of the script - the intent it to refuse to run with ids that are too low on the premise that these are usually admin-type ids (print services, etc) and shouldn't be available to something as easy to mis-secure as a CGI script. For an _internal_ web server (not internet facing) it may be sensible to turn off a lot of these checks - at my work place we have several of them disabled on the shared internal web server. To do this you must recompile the suexec program from source - fetch an Apache source matching the version on your web server and build the suexec.c program and install it by hand. Think VERY CAREFULLY about any checks you turn off and how their absense may be abused. | I want the script to run a | 'apache' which is what the web server is running as. How can I keep | the scripts as apache:apache? A better question might be: why do you want this? The only time you care about the uid/gid of a CGI script is if it must access local data. No local data should be owned by apache - the whole point of the apache user is to ensure that CGI scripts and the server in general have no special privileges (i.e. can only access publicly available file) for security. Probably you need to renumber the gid of the group you do want to use, whatever it is - probably not "apache" - to an id over 1000. Cheers, -- Cameron Simpson <cs@xxxxxxxxxx> DoD#743 http://www.cskk.ezoshosting.com/cs/ It is necessary for technical reasons that these warheads be stored with the top at the bottom and the bottom at the top. In order that there may be no doubt as to which is the top and which is the bottom, for storage purposes it will be seen that the bottom of each head has been labelled with the word TOP. - Instructions for storing British nuclear warheads -- redhat-list mailing list unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe https://www.redhat.com/mailman/listinfo/redhat-list