Bug 523903 - mod_fcgid insists on using suexec preventing UserDirs from working
Summary: mod_fcgid insists on using suexec preventing UserDirs from working
Keywords:
Status: CLOSED WONTFIX
Alias: None
Product: Fedora
Classification: Fedora
Component: mod_fcgid
Version: 14
Hardware: All
OS: Linux
low
medium
Target Milestone: ---
Assignee: Paul Howarth
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2009-09-17 06:08 UTC by David Rees
Modified: 2012-08-16 22:11 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2012-08-16 22:11:06 UTC


Attachments (Terms of Use)
httpd.conf (2.49 KB, text/plain)
2009-09-17 06:08 UTC, David Rees
no flags Details

Description David Rees 2009-09-17 06:08:26 UTC
Description of problem:
Even without loading suexec, mod_fcgid appears to want to invoke suexec when executing scripts in UserDirs.  But because the wrapper is not located/owned by the user, the script refuses to be executed.

Version-Release number of selected component (if applicable):
mod_fcgid-2.2-12.fc11.x86_64

How reproducible:
Every time.

Steps to Reproduce:
1. Enable mod_fcgid
2. Configure to serve PHP scripts
3. Put PHP script in UserDir and try to run it.
  
Actual results:
Internal Server Error

Expected results:
Output from PHP script

Additional info:
I will attach a simple httpd.conf that shows the problem.  Put a simple test.php script in the public_html dir of your choice and /var/www/html/ for testing.

Apache error_log:

[Wed Sep 16 22:58:06 2009] [notice] mod_fcgid: call /var/www/html/test.php with wrapper /usr/bin/php-cgi
[Wed Sep 16 22:58:13 2009] [notice] mod_fcgid: call /home/drees/public_html/test.php with wrapper /usr/bin/php-cgi
suexec policy violation: see suexec log for more details

Apache suexec log:

[2009-09-16 22:58:13]: uid: (500/drees) gid: (100/users) cmd: php-cgi
[2009-09-16 22:58:13]: command not in docroot (/usr/bin/php-cgi)

Comment 1 David Rees 2009-09-17 06:08:55 UTC
Created attachment 361428 [details]
httpd.conf

Comment 2 David Rees 2009-09-17 06:29:45 UTC
OK, after bashing my head against this issue over the past couple days, I finally figured out that renaming the suexec binary seems to avoid suexec enabling.

The problem is that the next httpd upgrade will replace the suexec binary.  Surely there's should be a configuration option to completely disable suexec?  I would have thought that disabling the suexec module would have been enough.

(I guess at this point this is more of a httpd bug than a mod_fcgid bug, too!)

Comment 3 Paul Howarth 2009-09-17 06:51:36 UTC
There was some related discussion upstream a while back:

http://www.mail-archive.com/mod-fcgid-users@lists.sourceforge.net/msg00154.html

Unfortunately development of mod_fcgid appears to have come to a halt around that time too.

Comment 4 David Rees 2009-09-17 07:21:26 UTC
Yeah, an option like that looks like it would do the trick.

I seem to recall reading somewhere that mod_fcgid was getting merged upstream into the next major Apache release?

Comment 5 Paul Howarth 2009-09-17 09:12:21 UTC
Hmm, you're right!

http://svn.apache.org/viewvc/httpd/mod_fcgid/trunk/README-FCGID?view=markup

Comment 6 Paul Howarth 2009-09-23 15:57:26 UTC
There's also an upstream bug on mod_suexec that may be related:
https://issues.apache.org/bugzilla/show_bug.cgi?id=42175

I've built some mod_fcgid packages from the new upstream svn at apache.org:
http://mirror.city-fan.org/ftp/contrib/websrv/

These don't resolve your problem unfortunately but it's in heavy upstream development at the moment so the best option might be to raise this as a bug on the dev@httpd.apache.org list and it might get fixed for the next release.

Comment 7 David Rees 2009-09-23 22:16:23 UTC
After doing more reading, it's not quite clear what the actual bug is as it seems that there are a couple issues here:

Enabling suEXEC is a server-wide "configuration" issue.  Apache detects at startup whether or not suEXEC is enabled by looking for the suexec binary in the appropriate spot with the appropriate permissions.  To disable it, either change the permissions or remove the binary.  Possible resolutions would be to enhance suEXEC to allow the enabling/disabling of suEXEC in the configuration file or on the command line, or to modify the Apache startup scripts to look for a configuration value in /etc/sysconfig/httpd and enable/disable suexec appropriately.

I don't think this is only a mod_fcgid bug - I imagine that this would affect anyone trying to exec scripts in the UserDir folders and just wanted them executed as the Apache user instead of the User's folder.

Comment 8 David Rees 2009-09-23 23:07:36 UTC
Anyway, I opened up discussion on the httpd-dev list:

http://marc.info/?l=apache-httpd-dev&m=125374657506543&w=2

We'll see what turns up.  Good to see that development is pretty active on it over there right now.

Comment 9 Bug Zapper 2010-04-28 10:25:54 UTC
This message is a reminder that Fedora 11 is nearing its end of life.
Approximately 30 (thirty) days from now Fedora will stop maintaining
and issuing updates for Fedora 11.  It is Fedora's policy to close all
bug reports from releases that are no longer maintained.  At that time
this bug will be closed as WONTFIX if it remains open with a Fedora 
'version' of '11'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version' 
to a later Fedora version prior to Fedora 11's end of life.

Bug Reporter: Thank you for reporting this issue and we are sorry that 
we may not be able to fix it before Fedora 11 is end of life.  If you 
would still like to see this bug fixed and are able to reproduce it 
against a later version of Fedora please change the 'version' of this 
bug to the applicable version.  If you are unable to change the version, 
please add a comment here and someone will do it for you.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events.  Often a 
more recent Fedora release includes newer upstream software that fixes 
bugs or makes them obsolete.

The process we are following is described here: 
http://fedoraproject.org/wiki/BugZappers/HouseKeeping

Comment 10 David Rees 2010-04-28 21:07:14 UTC
Affects F12 the same.  Haven't tried F13 but I don't expect it to be any different.

Comment 11 Bug Zapper 2010-11-04 09:58:15 UTC
This message is a reminder that Fedora 12 is nearing its end of life.
Approximately 30 (thirty) days from now Fedora will stop maintaining
and issuing updates for Fedora 12.  It is Fedora's policy to close all
bug reports from releases that are no longer maintained.  At that time
this bug will be closed as WONTFIX if it remains open with a Fedora 
'version' of '12'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version' 
to a later Fedora version prior to Fedora 12's end of life.

Bug Reporter: Thank you for reporting this issue and we are sorry that 
we may not be able to fix it before Fedora 12 is end of life.  If you 
would still like to see this bug fixed and are able to reproduce it 
against a later version of Fedora please change the 'version' of this 
bug to the applicable version.  If you are unable to change the version, 
please add a comment here and someone will do it for you.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events.  Often a 
more recent Fedora release includes newer upstream software that fixes 
bugs or makes them obsolete.

The process we are following is described here: 
http://fedoraproject.org/wiki/BugZappers/HouseKeeping

Comment 12 David Rees 2010-11-04 17:55:29 UTC
Still the same on F13.

Comment 13 Paul Howarth 2010-11-22 14:54:20 UTC
Upstream is adding a facility to enable/disable Suexec globally in the httpd.conf file in httpd 2.4, and will probably backport this to the next 2.2.x release as well:

http://marc.info/?l=apache-httpd-dev&m=129043360310643&w=2

Will that address your issue?

Comment 14 David Rees 2011-01-07 19:24:19 UTC
Sorry for the delay in responding, but yes, this appears that it would indeed solve this bug.

(Also updating to F14, still affects F14 as well).

Comment 15 Paul Howarth 2011-04-07 11:15:07 UTC
Looks like mod_fcgid may be bundled with httpd 2.4 too...

Comment 16 Fedora End Of Life 2012-08-16 22:11:12 UTC
This message is a notice that Fedora 14 is now at end of life. Fedora 
has stopped maintaining and issuing updates for Fedora 14. It is 
Fedora's policy to close all bug reports from releases that are no 
longer maintained.  At this time, all open bugs with a Fedora 'version'
of '14' have been closed as WONTFIX.

(Please note: Our normal process is to give advanced warning of this 
occurring, but we forgot to do that. A thousand apologies.)

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, feel free to reopen 
this bug and simply change the 'version' to a later Fedora version.

Bug Reporter: Thank you for reporting this issue and we are sorry that 
we were unable to fix it before Fedora 14 reached end of life. If you 
would still like to see this bug fixed and are able to reproduce it 
against a later version of Fedora, you are encouraged to click on 
"Clone This Bug" (top right of this page) and open it against that 
version of Fedora.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events.  Often a 
more recent Fedora release includes newer upstream software that fixes 
bugs or makes them obsolete.

The process we are following is described here: 
http://fedoraproject.org/wiki/BugZappers/HouseKeeping


Note You need to log in before you can comment on or make changes to this bug.