Bug 5310 - Apache needs MULTIPLE_GROUPS option?
Summary: Apache needs MULTIPLE_GROUPS option?
Alias: None
Product: Red Hat Linux
Classification: Retired
Component: apache
Version: 6.0
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Preston Brown
QA Contact:
Depends On:
TreeView+ depends on / blocked
Reported: 1999-09-22 19:06 UTC by dave
Modified: 2008-05-01 15:37 UTC (History)
0 users

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 1999-12-06 18:34:28 UTC

Attachments (Terms of Use)

Description dave 1999-09-22 19:06:13 UTC
I installed the Apache 1.3.6 package and modified the
configuration to run under a new user I created named
"httpd".  httpd's primary group is also named "httpd", and
then it is a member of the "video" group as well.

From /etc/group:


I have a CGI that I want to make executable only by the
"video" group...

-r-xr-x---   1 root     video          77 Sep 22 11:56

...however Apache will refuse to execute it.  I get the
following error message in /etc/httpd/logs/error_log:

Wed Sep 22 12:18:48 1999] [error] [client] file
permissions deny server execution:

It works fine if I chgrp it to "httpd".

test.cgi, by the way, contains the following:

echo "Content-Type: text/plain"
echo ""
echo -n "id -a: "
id -a

It outputs...

id -a: uid=16(httpd) gid=16(httpd)

...so I know that httpd truly is a member of the group and
_should_ have permission to execute the script chgrp'd to

Looking through the sources, I can see that
modules/standard/mod_cgi.c is calling ap_can_exec() from
ap/util.c, which checks the uid and gid of the file against
the current user and group.  There is support for
supplementary groups, but it's wrapped in #ifdef
MULITPLE_GROUPS .. #endif statements.

I assume this means that Apache needs to be recompiled with

Comment 1 Preston Brown 1999-12-06 18:34:59 UTC
This feature has enough additional security implications that we do not want it
turned on by default.  This is also why it isn't documented in the apache
documentation nor supported as a configuration-time option.

You may recompile your apache and #define the preprocessor directive in httpd.h
if you need this feature.

Note You need to log in before you can comment on or make changes to this bug.