[ILUG] suexec/setgid32 error
blf at blf.utvinternet.co.uk
Mon Aug 23 23:21:41 IST 2004
| Date: Mon, 23 Aug 2004 10:00:23 +0100
| From: "John P. Looney" <valen at tuatha.org>
| I really hate suexec. It's one of those examples of secure programming
| gone wrong; where it's secure, because people can't usually use it.
| Anyway, I've a perl CGI script I'm trying to run suexec. However, I can't
| work out why it's failing. When I strace the httpd process, I see:
| [pid 11702] write(3, "[2004-08-23 09:54:03]: uid: (500/wwwuser) gid: (500/500) cmd: awstats.pl\n", 76) = 76
| [pid 11702] setgid32(500) = -1 EPERM (Operation not permitted)
EPERM The user is not the super-user [ ... ], and
gid does not match the effective group ID or
saved set-group-ID of the calling process.”
I presume, therefore, that the process doing the setgid(2)
call does not have a EUID of 0 (superuser); and(/or?) it did
not previously have an EGID of <gid> (500, in this case).
I do not recall if there is an strace(1) option to show the
Effective UID/GID before/after each system call (or when it
changes?), but if there is, use it.
please note /etc/group is not relevant. why should it be?
| [pid 11702] time() = 1093251243
| [pid 11702] write(3, "[2004-08-23 09:54:03]: failed to setgid (500: awstats.pl)\n", 58) = 58
| any ideas how I debug this ? I've put:
| in /etc/group. I've run "chmod g+s awstats.pl". I can't see anything
| wrong, it's just...not working.
«How many surrealists does it take to | Brian Foster Montpellier,
change a lightbulb? Three. One calms | blf at utvinternet.ie FRANCE
the warthog, and two fill the bathtub | Stop E$$o (ExxonMobile)!
with brightly-colored machine tools.» | http://www.stopesso.com
More information about the ILUG