Suexec: cannot run as forbidden guid
Cameron Simpson
cs at zip.com.au
Sun Apr 4 08:56:27 UTC 2004
On 22:37 01 Apr 2004, Ryan Golhar <golharam at umdnj.edu> wrote:
| I have RedHat 9 running an a web server for several people. [...]
| They have their own public_html directories with a cgi-bin directory as
| well. All the users belong to the group 'users' with the GID of 100.
| I started getting this error whenever a cgi script to called in the
| suexec log:
|
| Uid: (501/golharam) gid: (100/100) cmd: test.cgi
| Cannot run as forbidden gid (100/test.cgi)
|
| I created a new group called webapps with GID of 500 and chown'd the cgi
| file to golharam:webapps but still get the error message.
| I'm not even aware that I set up suexec.
The Apache shipped with RedHat uses suexec. Which is quite handy.
Suexec has a large number of sanity checks turned on in it, and one of
these is a range check on the uid and gid of the script - the intent it
to refuse to run with ids that are too low on the premise that these are
usually admin-type ids (print services, etc) and shouldn't be available
to something as easy to mis-secure as a CGI script.
For an _internal_ web server (not internet facing) it may be sensible
to turn off a lot of these checks - at my work place we have several of
them disabled on the shared internal web server.
To do this you must recompile the suexec program from source - fetch
an Apache source matching the version on your web server and build the
suexec.c program and install it by hand. Think VERY CAREFULLY about any
checks you turn off and how their absense may be abused.
| I want the script to run a
| 'apache' which is what the web server is running as. How can I keep the
| scripts as apache:apache?
A better question might be: why do you want this?
The only time you care about the uid/gid of a CGI script is if it must
access local data. No local data should be owned by apache - the whole
point of the apache user is to ensure that CGI scripts and the server
in general have no special privileges (i.e. can only access publicly
available file) for security.
Probably you need to renumber the gid of the group you do want to use,
whatever it is - probably not "apache" - to an id over 1000.
Cheers,
--
Cameron Simpson <cs at zip.com.au> DoD#743
http://www.cskk.ezoshosting.com/cs/
It is necessary for technical reasons that these warheads be stored with
the top at the bottom and the bottom at the top. In order that there may
be no doubt as to which is the top and which is the bottom, for storage
purposes it will be seen that the bottom of each head has been labelled
with the word TOP. - Instructions for storing British nuclear warheads
More information about the redhat-list
mailing list