Suexec: cannot run as forbidden guid

Ryan Golhar ryangolhar at verizon.net
Sun Apr 4 15:58:44 UTC 2004 

Thanks Cameron.  I thought about this for a while.  I didn't want to
make any source modifications in case there was an update and overwrote
my changes.

In any case, I ended up changing the GID of users from 100 to 500 in
/etc/groups and changed the user's default group in /etc/passwd from 100
to 500 and reset the ownerships on their files. Everything seems to be
working now.

Its odd because the scripts in /var/www/cgi-bin can be owned by anyone
and run so that pretty much does away with the security precautions...

-----
Ryan Golhar
Computational Biologist
The Informatics Institute at
The University of Medicine & Dentistry of NJ

Phone: 973-972-5034
Fax: 973-972-7412
Email: golharam at umdnj.edu

-----Original Message-----
From: Cameron Simpson [mailto:cs at zip.com.au] 
Sent: Sunday, April 04, 2004 4:56 AM
To: golharam at umdnj.edu; General Red Hat Linux discussion list
Subject: Re: Suexec: cannot run as forbidden guid


On 22:37 01 Apr 2004, Ryan Golhar <golharam at umdnj.edu> wrote:
| I have RedHat 9 running an a web server for several people. [...] They

| have their own public_html directories with a cgi-bin directory as 
| well.  All the users belong to the group 'users' with the GID of 100.
| I started getting this error whenever a cgi script to called in the
| suexec log:
| 
| Uid: (501/golharam) gid: (100/100) cmd: test.cgi
| Cannot run as forbidden gid (100/test.cgi)
| 
| I created a new group called webapps with GID of 500 and chown'd the 
| cgi file to golharam:webapps but still get the error message. I'm not 
| even aware that I set up suexec.

The Apache shipped with RedHat uses suexec. Which is quite handy.

Suexec has a large number of sanity checks turned on in it, and one of
these is a range check on the uid and gid of the script - the intent it
to refuse to run with ids that are too low on the premise that these are
usually admin-type ids (print services, etc) and shouldn't be available
to something as easy to mis-secure as a CGI script.

For an _internal_ web server (not internet facing) it may be sensible to
turn off a lot of these checks - at my work place we have several of
them disabled on the shared internal web server.

To do this you must recompile the suexec program from source - fetch an
Apache source matching the version on your web server and build the
suexec.c program and install it by hand. Think VERY CAREFULLY about any
checks you turn off and how their absense may be abused.

| I want the script to run a
| 'apache' which is what the web server is running as.  How can I keep 
| the scripts as apache:apache?

A better question might be: why do you want this?

The only time you care about the uid/gid of a CGI script is if it must
access local data. No local data should be owned by apache - the whole
point of the apache user is to ensure that CGI scripts and the server in
general have no special privileges (i.e. can only access publicly
available file) for security.

Probably you need to renumber the gid of the group you do want to use,
whatever it is - probably not "apache" - to an id over 1000.

Cheers,
-- 
Cameron Simpson <cs at zip.com.au> DoD#743
http://www.cskk.ezoshosting.com/cs/

It is necessary for technical reasons that these warheads be stored with
the top at the bottom and the bottom at the top. In order that there may
be no doubt as to which is the top and which is the bottom, for storage
purposes it will be seen that the bottom of each head has been labelled
with the word TOP.      - Instructions for storing British nuclear
warheads

More information about the redhat-list mailing list