From owner-freebsd-isp  Tue Mar 31 21:52:52 1998
Return-Path: <owner-freebsd-isp@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id VAA16874
          for freebsd-isp-outgoing; Tue, 31 Mar 1998 21:52:52 -0800 (PST)
          (envelope-from owner-freebsd-isp@FreeBSD.ORG)
Received: from odyssey.apana.org.au (odyssey.apana.org.au [203.11.114.1])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id VAA16841
          for <freebsd-isp@freebsd.org>; Tue, 31 Mar 1998 21:52:22 -0800 (PST)
          (envelope-from dean@odyssey.apana.org.au)
Received: from localhost (dean@localhost)
	by odyssey.apana.org.au (8.8.7/8.8.7) with SMTP id NAA07446;
	Wed, 1 Apr 1998 13:51:43 +0800 (WST)
Date: Wed, 1 Apr 1998 13:51:42 +0800 (WST)
From: Dean Hollister <dean@odyssey.apana.org.au>
To: Travis Mikalson <bofh@terranova.net>
cc: freebsd-isp@FreeBSD.ORG, Jeremy Malcolm <terminus@odyssey.apana.org.au>
Subject: Re: suexec error
In-Reply-To: <3521C396.5056@terranova.net>
Message-ID: <Pine.BSF.3.96.980401134826.7304A-100000@odyssey.apana.org.au>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-isp@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

On Tue, 31 Mar 1998, Travis Mikalson wrote:

> Check out the log file that suexec creates (I set mine to
> /var/log/cgi.log)
> 
> It will give you the reason that suexec terminated the cgi being wrapped
> before it could run.

I found the cause. suexec.h had the incorrect user the server runs as.

However, upon installing the recompiled version, all cgi ran as root - a
definite security no-no. So, I compiled the standalone version of suexec
which works correctly.

Here is the suexec.h file for the Frontpage extensions. There _has_ to be
a bug in the header:

[Copyright Notice snipped to conserve space]

 *
 */

/* "FPEXE modification made on Nov 2nd 1997 by Mark Wormgoor (riddles@ipe.nl)
 *
 * Changes were made in order to use Suexec and Frontpage 98 at the same time.
 * Instead of trying to run suid on /usr/local/frontpage/currentversion/bin/fpexe, 
 * we execute this so the suid-bit does all the work
 */

/*
 * suexec.h -- user-definable variables for the suexec wrapper code.
 */


#ifndef _SUEXEC_H
#define _SUEXEC_H

/*
 * HTTPD_USER -- Define as the username under which Apache normally
 *               runs.  This is the only user allowed to execute
 *               this program.
 */
#ifndef HTTPD_USER
#define HTTPD_USER "nobody"
#endif

/*
 * UID_MIN -- Define this as the lowest UID allowed to be a target user
 *            for suEXEC.  For most systems, 500 or 100 is common.
 */
#ifndef UID_MIN
#define UID_MIN 100
#endif

/*
 * GID_MIN -- Define this as the lowest GID allowed to be a target group
 *            for suEXEC.  For most systems, 100 is common.
 */
#ifndef GID_MIN
#define GID_MIN 100
#endif

/*
 * USERDIR_SUFFIX -- Define to be the subdirectory under users' 
 *                   home directories where suEXEC access should
 *                   be allowed.  All executables under this directory
 *                   will be executable by suEXEC as the user so 
 *                   they should be "safe" programs.  If you are 
 *                   using a "simple" UserDir directive (ie. one 
 *                   without a "*" in it) this should be set to 
 *                   the same value.  suEXEC will not work properly
 *                   in cases where the UserDir directive points to 
 *                   a location that is not the same as the user's
 *                   home directory as referenced in the passwd file.
 *
 *                   If you have VirtualHosts with a different
 *                   UserDir for each, you will need to define them to
 *                   all reside in one parent directory; then name that
 *                   parent directory here.  IF THIS IS NOT DEFINED
 *                   PROPERLY, ~USERDIR CGI REQUESTS WILL NOT WORK!
 *                   See the suEXEC documentation for more detailed
 *                   information.
 */
#ifndef USERDIR_SUFFIX
#define USERDIR_SUFFIX "public_html"
#endif

/*
 * LOG_EXEC -- Define this as a filename if you want all suEXEC
 *             transactions and errors logged for auditing and
 *             debugging purposes.
 */
#ifndef LOG_EXEC
#define LOG_EXEC "/var/log/httpd-cgi.log" /* Need me? */
#endif

/*
 * DOC_ROOT -- Define as the DocumentRoot set for Apache.  This
 *             will be the only hierarchy (aside from UserDirs)
 *             that can be used for suEXEC behavior.
 *             This is not used, since we have VirtualHosts defined.
 */
#ifndef DOC_ROOT
#define DOC_ROOT "/"
#endif

/*
 * FRONTPAGE_EXE -- We are running frontpage and we don't need to run
 *                  fpexe suid, since it's already set suid.  Also, the
 *                  dir-rights are incorrect and so on...
 */

#ifndef FRONTPAGE_EXE
#define FRONTPAGE_EXE "/usr/local/frontpage/version3.0/apache-fp/_vti_bin/fpexe"
#endif
                    
/*
 * SYSTEM_CGI -- Define as the cgi directory for system-wide CGI's
 *               Note that UID/GID of the cgi or the directory are
 *		 NOT matched if they're in this directory, although
 *		 all the other checks still apply. Caveat Emptor.
 */

#ifndef SYSTEM_CGI
#define SYSTEM_CGI "/usr/local/www/cgi-bin"
#endif

/*
 * SAFE_PATH -- Define a safe PATH environment to pass to CGI executables.
 *
 */
#ifndef SAFE_PATH
#define SAFE_PATH "/usr/local/bin:/usr/bin:/bin:."
#endif

#endif  /* _SUEXEC_H */


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-isp" in the body of the message