| Summary: | mode of /usr/sbin/suexec prevents running CGI scripts from user home directories | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Jason Vas Dias <jason.vas.dias> |
| Component: | httpd | Assignee: | Jan Kaluža <jkaluza> |
| Status: | CLOSED WORKSFORME | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 19 | CC: | jason.vas.dias, jkaluza, jorton, pahan |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2014-08-29 15:16:58 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
suexec uses capabilities in Fedora - has the binary got the capabilities set still? What's the output of: # rpm -V httpd # filecap /usr/sbin/suexec (you may need to "yum install libcap-ng-utils" for the latter This package has changed ownership in the Fedora Package Database. Reassigning to the new owner of this component. |
Description of problem: Trying to run ANY CGI script with httpd-2.4.6-2.fc19.x86_64 fails with 'End of script output before headers' . After much debugging and head scratching, (the above is the only message in the error_log) I found this was because the suexec module is enabled, and /sbin/suexec is installed with group apache : # ls -l /sbin/suexec -r-x--x---. 1 root apache 15400 Jul 31 07:50 /sbin/suexec So suexec , even though it will run with an effective UID of root, runs with an effective GID of apache, so it can never setgid() - it was emitting this message to /var/log/secure each time I tried to run a CGI script in my ~/public_html directory (I have mod_userdir enabled and added the 'Option +ExecCGI' for my ~/public_html dir) : failed to setgid (1000: test.cgi) strace showed suexec was being run by user apache, group apache with the command : suexec ~1000 1000 /home/jason/public_html/test.cgi But because it was installed with GID apache, root:apache is not permitted to setgid . Doing, as root : # chown root:root /usr/sbin/suexec; chmod 06555 /usr/sbin/suexec fixes the problem - suexec is then able to setgid and run the script. Please allow suexec to do setgid ! The problem does not occur when I build and install the upstream httpd-2.4.7 from apache.org . Version-Release number of selected component (if applicable): httpd-2.4.6-2.fc19.x86_64 How reproducible: 100% Steps to Reproduce: 1. Try to run ANY cgi script in a ~/public_html directory, - eg with the URL : http://localhost/~jason/test.cgi $ cat test.cgi #!/bin/sh echo -en 'Content-type: text/html'"\n\n" cat <<'EOF' <html> <title>Test CGI Script</title> <body> It worked! </body> </html> EOF Actual results: A server error and misleading messages about 'End of script output before headers' in /var/log/httpd/error_log Expected results: The script should have been run by suexec and produced a valid HTTP response. Additional info: