Red Hat Bugzilla – Bug 5310
Apache needs MULTIPLE_GROUPS option?
Last modified: 2008-05-01 11:37:51 EDT
I installed the Apache 1.3.6 package and modified the
configuration to run under a new user I created named
"httpd". httpd's primary group is also named "httpd", and
then it is a member of the "video" group as well.
I have a CGI that I want to make executable only by the
-r-xr-x--- 1 root video 77 Sep 22 11:56
...however Apache will refuse to execute it. I get the
following error message in /etc/httpd/logs/error_log:
Wed Sep 22 12:18:48 1999] [error] [client 127.0.0.1] file
permissions deny server execution:
It works fine if I chgrp it to "httpd".
test.cgi, by the way, contains the following:
echo "Content-Type: text/plain"
echo -n "id -a: "
id -a: uid=16(httpd) gid=16(httpd)
...so I know that httpd truly is a member of the group and
_should_ have permission to execute the script chgrp'd to
Looking through the sources, I can see that
modules/standard/mod_cgi.c is calling ap_can_exec() from
ap/util.c, which checks the uid and gid of the file against
the current user and group. There is support for
supplementary groups, but it's wrapped in #ifdef
MULITPLE_GROUPS .. #endif statements.
I assume this means that Apache needs to be recompiled with
the MULTIPLE_GROUPS option?
This feature has enough additional security implications that we do not want it
turned on by default. This is also why it isn't documented in the apache
documentation nor supported as a configuration-time option.
You may recompile your apache and #define the preprocessor directive in httpd.h
if you need this feature.