Thread: cgi-bin problem
View Single Post

  #5 (permalink)  
Old 07-08-2003
David Efflandt
 
Posts: n/a
Default Re: cgi-bin problem
On Sun, 6 Jul 2003 09:23:16 -0700, WLauman <wlauman@email.com> wrote:
>
> "David Efflandt" <efflandt@xnet.com> wrote in message
>> Even if SuExec is enabled, it only works in /~username/ URLs and virtual
>> hosts under the main DocumentRoot it was compiled for (assuming you follow
>> all the suexec rules). For virtual hosts you would need to specify User
>> and Group and they would need to own any directories and files in that
>> virtual host with not more than 755 permission. SuExec will not run
>> anything as root.
>>
>> Without suexec, it is possible to run CGI as a specific user using suid
>> permissions, but that is usually ignored for scripts, and would require an
>> suid binary wrapper (small C program, etc.).
>>
>> It is possible that those other servers were using apache suexec (or
>> separate cgiwrap).
>>
>> --
>> David Efflandt - All spam ignored http://www.de-srv.com/
>
> Thanks David for you time.
> I'm not the sharpest knife in the drawer.
>
> The problem seems to be the Owner(user) of the file. If I chown -R
> apache.apache /path/to/my/cgi-bin
> then the program works fine using chmod 755. The problem is then the owner
> "admin" has no permissions via FTP.

Either way you would need to give write permission for 'others' for both
to be able to write or delete CGI data files, which would mean that most
anyone could modify them (via their own CGI if not from the shell).

> Also would this problem also carry over to Virtual Hosts?

It depends whether suexec is being used, the virtual hosts are below the
main DocumentRoot, and the 'User' and 'Group' that maintains the website
are specified in the VirtualHost (for apache 2.x see SuexecUserGroup). I
do not think suexec can be used for the main server (just /~username/ URLs
and properly configured vhosts).

Without suexec, everything runs as the same user.

> Just a thought...The httpd.conf has user/group left at default
> apache/apache. If I change that to admin/admin then apache server would run
> as admin, correct? But how would this effect Virtual Hosts?

Probably NOT a good idea. Default apache user should be a user that can
do the least amount of harm if a script can be exploited, or under suexec
as the particular user responsible, so you can tell who screwed up.

--
David Efflandt - All spam ignored http://www.de-srv.com/