Bug 5310 - Apache needs MULTIPLE_GROUPS option?
Apache needs MULTIPLE_GROUPS option?
Product: Red Hat Linux
Classification: Retired
Component: apache (Show other bugs)
All Linux
medium Severity medium
: ---
: ---
Assigned To: Preston Brown
Depends On:
  Show dependency treegraph
Reported: 1999-09-22 15:06 EDT by dave
Modified: 2008-05-01 11:37 EDT (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 1999-12-06 13:34:28 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description dave 1999-09-22 15:06:13 EDT
I installed the Apache 1.3.6 package and modified the
configuration to run under a new user I created named
"httpd".  httpd's primary group is also named "httpd", and
then it is a member of the "video" group as well.

From /etc/group:


I have a CGI that I want to make executable only by the
"video" group...

-r-xr-x---   1 root     video          77 Sep 22 11:56

...however Apache will refuse to execute it.  I get the
following error message in /etc/httpd/logs/error_log:

Wed Sep 22 12:18:48 1999] [error] [client] file
permissions deny server execution:

It works fine if I chgrp it to "httpd".

test.cgi, by the way, contains the following:

echo "Content-Type: text/plain"
echo ""
echo -n "id -a: "
id -a

It outputs...

id -a: uid=16(httpd) gid=16(httpd)

...so I know that httpd truly is a member of the group and
_should_ have permission to execute the script chgrp'd to

Looking through the sources, I can see that
modules/standard/mod_cgi.c is calling ap_can_exec() from
ap/util.c, which checks the uid and gid of the file against
the current user and group.  There is support for
supplementary groups, but it's wrapped in #ifdef
MULITPLE_GROUPS .. #endif statements.

I assume this means that Apache needs to be recompiled with
Comment 1 Preston Brown 1999-12-06 13:34:59 EST
This feature has enough additional security implications that we do not want it
turned on by default.  This is also why it isn't documented in the apache
documentation nor supported as a configuration-time option.

You may recompile your apache and #define the preprocessor directive in httpd.h
if you need this feature.

Note You need to log in before you can comment on or make changes to this bug.