Bug 26972

Summary: SuExec is overzealous about group permissions
Product: [Retired] Red Hat Linux Reporter: Scott Schmit <i.grok>
Component: apacheAssignee: Nalin Dahyabhai <nalin>
Status: CLOSED WONTFIX QA Contact: David Lawrence <dkl>
Severity: medium Docs Contact:
Priority: medium    
Version: 7.1   
Target Milestone: ---   
Target Release: ---   
Hardware: i386   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2001-02-10 18:20:48 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Scott Schmit 2001-02-10 18:20:43 UTC 
From Bugzilla Helper:
User-Agent: Mozilla/4.76 [en] (X11; U; Linux 2.4.0-0.99.11 i686; Nav)


When I viewed my web site on localhost, my perl scripts would not run. When
I directly fetched the url for the perl script, the server returned a 500.
So I checked the logs and the suexec log complained:
[2001-02-10 11:39:04]: error: directory is writable by others:
(/home/draco/public_html/bin)
[2001-02-10 11:44:07]: info: (target/actual) uid: (draco/draco) gid:
(draco/draco) cmd: comic.pull.pl

I checked the permissions of the directories (snipping the files from the
listing):
[draco@utopia:~/public_html]$ ll
total 32
drwxrwxr-x    2 draco    draco        4096 Feb 10 11:44 bin
drwxrwxr-x    2 draco    draco        4096 Oct 21 18:05 css
drwxrwxrwx    2 draco    draco        4096 Oct 21 18:07 data
drwxrwxr-x    2 draco    draco        4096 Oct 21 18:06 image
drwxrwxr-x    2 draco    draco        4096 Jan 28 21:22 template

as you can see, bin (where apache was complaining) is not world writable.
I then did this:
[draco@utopia:~/public_html]$ chmod g-wrx *
[draco@utopia:~/public_html]$ ll
total 32
drwx---r-x    2 draco    draco        4096 Feb 10 11:44 bin
drwx---r-x    2 draco    draco        4096 Oct 21 18:05 css
drwx---rwx    2 draco    draco        4096 Oct 21 18:07 data
drwx---r-x    2 draco    draco        4096 Oct 21 18:06 image
drwx---r-x    2 draco    draco        4096 Jan 28 21:22 template

Automagically, apache stopped having problems with the permissions and ran
the scripts. I see this as a bug since the group "draco" is hardly
"everyone" :-)

Reproducible: Always
Steps to Reproduce:
1. Set up apache to serve user directories (/~user/) and permit ExecCGI.
2. chmod o=x home and o=rx (or even o=x) public_html
2. change permissions under public_html so that all directories are not
world writable (chmod o-w)
3. change permissions under public_html so that all directories are group
writable (chmod g+w)
4. make some trivial script(s) to run someplace under public_html (say,
~/public_html/bin/)
5. attempt to run your script(s) through apache

Actual Results:  the perl scripts do not run because suexec forbids it. It
says these directories are world writable. They aren't.
$ ls -ld /home /home/draco /home/draco/public_html
/home/draco/public_html/bin
drwxr-xr-x    9 root     root         4096 Feb  7 16:08 /home
drwx-----x   31 draco    draco        4096 Feb 10 11:57 /home/draco
drwx-----x    7 draco    draco        4096 Oct 21 18:34
/home/draco/public_html
drwxrwxr-x    2 draco    draco        4096 Feb 10 11:44
/home/draco/public_html/bin

Expected Results:  suexec should have permitted execution. users in groups
need to be able to modify web directories and still execute programs!

$ rpm -q apache
apache-1.3.14-9
Comment 1 Nalin Dahyabhai 2001-02-15 05:23:38 UTC 
Group-writable directories and files are considered non-secure, and user-groups
are not exceptions to this rule.