Bug 121352 - Scripts in cgi-bin have ownership changed
Scripts in cgi-bin have ownership changed
Status: CLOSED WORKSFORME
Product: Fedora
Classification: Fedora
Component: httpd (Show other bugs)
rawhide
i686 Linux
medium Severity high
: ---
: ---
Assigned To: Joe Orton
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2004-04-20 13:43 EDT by Need Real Name
Modified: 2007-11-30 17:10 EST (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2004-04-21 05:16:23 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
httpd.conf (35.34 KB, text/plain)
2004-04-20 16:07 EDT, Need Real Name
no flags Details
httpd.conf (35.34 KB, text/plain)
2004-04-20 16:09 EDT, Need Real Name
no flags Details

  None (edit)
Description Need Real Name 2004-04-20 13:43:25 EDT
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.6)
Gecko/20040312 Epiphany/1.1.12

Description of problem:
The scripts in cgi-bin keep having the ownership (apache) altered to
another user.

I can see nothing in the logs as to why this is happening.

It makes the scripts fairly unusable.

Version-Release number of selected component (if applicable):


How reproducible:
Always

Steps to Reproduce:
1. Run any script
2. After a while the systme alters ownership
3.
    

Additional info:
Comment 1 Joe Orton 2004-04-20 14:59:12 EDT
Which users are the scripts getting chowned to?  Do you have SELinux
enabled?  That's a very weird problem.  httpd doesn't do this.  What
modules do you have installed, and are running?  Can you reproduce the
user-change behaviour consistently?
Comment 2 Need Real Name 2004-04-20 15:49:51 EDT
Which users are the scripts getting chowned to?  

User mike (my user ID)


Do you have SELinux
enabled?
yes - but the behaviour is the same without

  That's a very weird problem.  httpd doesn't do this.  

What
modules do you have installed, and are running?  

/usr/lib/httpd/modules/mod_access.so
/usr/lib/httpd/modules/mod_actions.so
/usr/lib/httpd/modules/mod_alias.so
/usr/lib/httpd/modules/mod_asis.so
/usr/lib/httpd/modules/mod_auth.so
/usr/lib/httpd/modules/mod_auth_anon.so
/usr/lib/httpd/modules/mod_auth_dbm.so
/usr/lib/httpd/modules/mod_auth_digest.so
/usr/lib/httpd/modules/mod_auth_ldap.so
/usr/lib/httpd/modules/mod_autoindex.so
/usr/lib/httpd/modules/mod_cache.so
/usr/lib/httpd/modules/mod_cern_meta.so
/usr/lib/httpd/modules/mod_cgi.so
/usr/lib/httpd/modules/mod_dav.so
/usr/lib/httpd/modules/mod_dav_fs.so
/usr/lib/httpd/modules/mod_deflate.so
/usr/lib/httpd/modules/mod_dir.so
/usr/lib/httpd/modules/mod_disk_cache.so
/usr/lib/httpd/modules/mod_env.so
/usr/lib/httpd/modules/mod_expires.so
/usr/lib/httpd/modules/mod_file_cache.so
/usr/lib/httpd/modules/mod_headers.so
/usr/lib/httpd/modules/mod_imap.so
/usr/lib/httpd/modules/mod_include.so
/usr/lib/httpd/modules/mod_info.so
/usr/lib/httpd/modules/mod_ldap.so
/usr/lib/httpd/modules/mod_log_config.so
/usr/lib/httpd/modules/mod_logio.so
/usr/lib/httpd/modules/mod_mem_cache.so
/usr/lib/httpd/modules/mod_mime.so
/usr/lib/httpd/modules/mod_mime_magic.so
/usr/lib/httpd/modules/mod_negotiation.so
/usr/lib/httpd/modules/mod_proxy.so
/usr/lib/httpd/modules/mod_proxy_connect.so
/usr/lib/httpd/modules/mod_proxy_ftp.so
/usr/lib/httpd/modules/mod_proxy_http.so
/usr/lib/httpd/modules/mod_rewrite.so
/usr/lib/httpd/modules/mod_setenvif.so
/usr/lib/httpd/modules/mod_speling.so
/usr/lib/httpd/modules/mod_status.so
/usr/lib/httpd/modules/mod_suexec.so
/usr/lib/httpd/modules/mod_unique_id.so
/usr/lib/httpd/modules/mod_userdir.so
/usr/lib/httpd/modules/mod_usertrack.so
/usr/lib/httpd/modules/mod_vhost_alias.so


Can you reproduce the
user-change behaviour consistently?

Unfortunately yes

All the scripts should have the folowing:
-r-xrw-r--  1 apache mike

What I cant understand is why they are getting changed to owner "mike"
rather than root

doing chattr -i doesn't work

The only other bit of info I can think of is that they all do a
DBI::Pg call with DB user mike
Comment 3 Joe Orton 2004-04-20 15:55:00 EDT
To be clear: what ownership does the script have before and after it
is changed?  Is the script in /var/www/cgi-bin, or in a UserDir
directory?  Is suexec being used? Please attach the httpd.conf too.
Comment 4 Need Real Name 2004-04-20 16:07:27 EDT
Created attachment 99575 [details]
httpd.conf

httd.conf
Comment 5 Need Real Name 2004-04-20 16:09:08 EDT
1. All scripts are in cgi-bin
2. normal ownership
owner apache
group mike
changed ownership
owner mike
group mike

3. Not using suexec

4. attached
Comment 6 Need Real Name 2004-04-20 16:09:50 EDT
Created attachment 99576 [details]
httpd.conf
Comment 7 Joe Orton 2004-04-20 16:25:29 EDT
CGI scripts in /var/www/cgi-bin should be owned by root.root: they
should not even be writable by the apache user. It sounds like the
most likely cause is that script is changing its own ownership.
Comment 8 Need Real Name 2004-04-21 04:58:30 EDT
CGI scripts in /var/www/cgi-bin should be owned by root.root: 

then they dont run at all - permission denied (as expected)

they should not even be writable by the apache user. 

they are not - owner has rx permission

It sounds like the most likely cause is that script is changing its
own ownership.

this I dont see how it can - example script

#!/usr/bin/perl -ww
use CGI qw/:standard/;
print header();
print start_html(-title=>'Invoices select',-BGCOLOR=>'#FCD08C',);
use DBI;
use DBD::Pg;
 
print h1("Select Last name or Organisation/Company you wish to search
for invoices");
 
 
print start_multipart_form (POST,'inv_sel2_org.pl',);
print "Type in part or all of the last name or\norganisation you wish
to search for invoices",
textfield(-name=>'name',-BGCOLOR=>'red',-style=>'background-color:
red;color: white'),
print "<br />";
print "<br />";
print "<br />";
print "<BR />";
print submit(Search);
print end_form;
 
print end_html;
Comment 9 Joe Orton 2004-04-21 05:16:23 EDT
Correct permissions are:

chown root.root myscript.pl
chmod 755 myscript.pl

I can't reproduce any issues here, and it's highly unlikely that this
is an httpd bug.

Note You need to log in before you can comment on or make changes to this bug.