Red Hat Bugzilla – Bug 5310
Apache needs MULTIPLE_GROUPS option?
Last modified: 2008-05-01 11:37:51 EDT
I installed the Apache 1.3.6 package and modified the configuration to run under a new user I created named "httpd". httpd's primary group is also named "httpd", and then it is a member of the "video" group as well. From /etc/group: video:x:401:httpd,admin I have a CGI that I want to make executable only by the "video" group... -r-xr-x--- 1 root video 77 Sep 22 11:56 test.cgi ...however Apache will refuse to execute it. I get the following error message in /etc/httpd/logs/error_log: Wed Sep 22 12:18:48 1999] [error] [client 127.0.0.1] file permissions deny server execution: /video/tools/htdocs/test.cgi It works fine if I chgrp it to "httpd". test.cgi, by the way, contains the following: #!/bin/sh echo "Content-Type: text/plain" echo "" echo -n "id -a: " id -a It outputs... id -a: uid=16(httpd) gid=16(httpd) groups=16(httpd),401(video) ...so I know that httpd truly is a member of the group and _should_ have permission to execute the script chgrp'd to video. Looking through the sources, I can see that modules/standard/mod_cgi.c is calling ap_can_exec() from ap/util.c, which checks the uid and gid of the file against the current user and group. There is support for supplementary groups, but it's wrapped in #ifdef MULITPLE_GROUPS .. #endif statements. I assume this means that Apache needs to be recompiled with the MULTIPLE_GROUPS option?
This feature has enough additional security implications that we do not want it turned on by default. This is also why it isn't documented in the apache documentation nor supported as a configuration-time option. You may recompile your apache and #define the preprocessor directive in httpd.h if you need this feature.