Running setuid CGI scripts with Apache

Hello,

I'm not running suexec, nor do I care to. I have a suid script which is
owned by a user other than the one Apache is running as. When I run this
from the shell, all is well. When I run it from Apache, it runs as the same
user as Apache. Binaries do not exhibit this problem, only scripts.

My first thought was that Apache was reading the hash-bang line and running
that program with the script as an argument, thereby using the permissions
of that binary instead of the script. I sure hope this isn't the case, as
that would be rather silly. I read through much of the relevant source and
didn't see any indications of this, but the large amount of abstraction
makes the code difficult to follow.

So, without using suidperl, and without using a binary wrapper, what's going
on here, and how do I fix it? I'm running Apache 2.0.48 on FreeBSD
5.1-RELEASE.

--
Sean Hamilton <sh@bel.bc.ca>

On Tue, 13 Jan 2004 19:03:37 GMT, Sean Hamilton <sh@bel.bc.ca> wrote:
> Hello,
>
> I'm not running suexec, nor do I care to. I have a suid script which is
> owned by a user other than the one Apache is running as. When I run this
> from the shell, all is well. When I run it from Apache, it runs as the same
> user as Apache. Binaries do not exhibit this problem, only scripts.

When you say in the shell "all is well" are you changing to a different
user and actually confirming that it runs as the suid user (printing the
output of `id` or something)?

> My first thought was that Apache was reading the hash-bang line and running
> that program with the script as an argument, thereby using the permissions
> of that binary instead of the script. I sure hope this isn't the case, as
> that would be rather silly. I read through much of the relevant source and
> didn't see any indications of this, but the large amount of abstraction
> makes the code difficult to follow.
>
> So, without using suidperl, and without using a binary wrapper, what's going
> on here, and how do I fix it? I'm running Apache 2.0.48 on FreeBSD
> 5.1-RELEASE.

Most systems ignore suid for scripts for security reasons. So you have no
choice but to use an suid binary wrapper, or suexec, or suidperl (which
is not suid root by default).

--
David Efflandt - All spam ignored http://www.de-srv.com/

"David Efflandt" <efflandt@xnet.com> wrote:
| When you say in the shell "all is well" are you
| changing to a different user and actually confirming
| that it runs as the suid user (printing the output of
| `id` or something)?

Yes. Exactly.

| Most systems ignore suid for scripts for security
| reasons. So you have no choice but to use an suid
| binary wrapper, or suexec, or suidperl (which is not
| suid root by default).

FreeBSD does not ignore setuid for scripts. If I run it from a shell running
as the apache user, it works fine. The problem only occurs when Apache runs
the script.

--
Sean Hamilton <sh@bel.bc.ca>