Date: Wed, 1 Apr 1998 13:51:42 +0800 (WST) From: Dean Hollister <dean@odyssey.apana.org.au> To: Travis Mikalson <bofh@terranova.net> Cc: freebsd-isp@FreeBSD.ORG, Jeremy Malcolm <terminus@odyssey.apana.org.au> Subject: Re: suexec error Message-ID: <Pine.BSF.3.96.980401134826.7304A-100000@odyssey.apana.org.au> In-Reply-To: <3521C396.5056@terranova.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, 31 Mar 1998, Travis Mikalson wrote:
> Check out the log file that suexec creates (I set mine to
> /var/log/cgi.log)
>
> It will give you the reason that suexec terminated the cgi being wrapped
> before it could run.
I found the cause. suexec.h had the incorrect user the server runs as.
However, upon installing the recompiled version, all cgi ran as root - a
definite security no-no. So, I compiled the standalone version of suexec
which works correctly.
Here is the suexec.h file for the Frontpage extensions. There _has_ to be
a bug in the header:
[Copyright Notice snipped to conserve space]
*
*/
/* "FPEXE modification made on Nov 2nd 1997 by Mark Wormgoor (riddles@ipe.nl)
*
* Changes were made in order to use Suexec and Frontpage 98 at the same time.
* Instead of trying to run suid on /usr/local/frontpage/currentversion/bin/fpexe,
* we execute this so the suid-bit does all the work
*/
/*
* suexec.h -- user-definable variables for the suexec wrapper code.
*/
#ifndef _SUEXEC_H
#define _SUEXEC_H
/*
* HTTPD_USER -- Define as the username under which Apache normally
* runs. This is the only user allowed to execute
* this program.
*/
#ifndef HTTPD_USER
#define HTTPD_USER "nobody"
#endif
/*
* UID_MIN -- Define this as the lowest UID allowed to be a target user
* for suEXEC. For most systems, 500 or 100 is common.
*/
#ifndef UID_MIN
#define UID_MIN 100
#endif
/*
* GID_MIN -- Define this as the lowest GID allowed to be a target group
* for suEXEC. For most systems, 100 is common.
*/
#ifndef GID_MIN
#define GID_MIN 100
#endif
/*
* USERDIR_SUFFIX -- Define to be the subdirectory under users'
* home directories where suEXEC access should
* be allowed. All executables under this directory
* will be executable by suEXEC as the user so
* they should be "safe" programs. If you are
* using a "simple" UserDir directive (ie. one
* without a "*" in it) this should be set to
* the same value. suEXEC will not work properly
* in cases where the UserDir directive points to
* a location that is not the same as the user's
* home directory as referenced in the passwd file.
*
* If you have VirtualHosts with a different
* UserDir for each, you will need to define them to
* all reside in one parent directory; then name that
* parent directory here. IF THIS IS NOT DEFINED
* PROPERLY, ~USERDIR CGI REQUESTS WILL NOT WORK!
* See the suEXEC documentation for more detailed
* information.
*/
#ifndef USERDIR_SUFFIX
#define USERDIR_SUFFIX "public_html"
#endif
/*
* LOG_EXEC -- Define this as a filename if you want all suEXEC
* transactions and errors logged for auditing and
* debugging purposes.
*/
#ifndef LOG_EXEC
#define LOG_EXEC "/var/log/httpd-cgi.log" /* Need me? */
#endif
/*
* DOC_ROOT -- Define as the DocumentRoot set for Apache. This
* will be the only hierarchy (aside from UserDirs)
* that can be used for suEXEC behavior.
* This is not used, since we have VirtualHosts defined.
*/
#ifndef DOC_ROOT
#define DOC_ROOT "/"
#endif
/*
* FRONTPAGE_EXE -- We are running frontpage and we don't need to run
* fpexe suid, since it's already set suid. Also, the
* dir-rights are incorrect and so on...
*/
#ifndef FRONTPAGE_EXE
#define FRONTPAGE_EXE "/usr/local/frontpage/version3.0/apache-fp/_vti_bin/fpexe"
#endif
/*
* SYSTEM_CGI -- Define as the cgi directory for system-wide CGI's
* Note that UID/GID of the cgi or the directory are
* NOT matched if they're in this directory, although
* all the other checks still apply. Caveat Emptor.
*/
#ifndef SYSTEM_CGI
#define SYSTEM_CGI "/usr/local/www/cgi-bin"
#endif
/*
* SAFE_PATH -- Define a safe PATH environment to pass to CGI executables.
*
*/
#ifndef SAFE_PATH
#define SAFE_PATH "/usr/local/bin:/usr/bin:/bin:."
#endif
#endif /* _SUEXEC_H */
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-isp" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.3.96.980401134826.7304A-100000>