The following reply was made to PR mod_cgi/918; it has been noted by GNATS.
From: Dean Gaudet <[EMAIL PROTECTED]>
To: "Tyler J. Allison" <[EMAIL PROTECTED]>
Subject: Re: mod_cgi/918: if not using suexec, apache forces user to use
server gid/uid settings
Date: Sat, 26 Jul 1997 23:48:22 -0700 (PDT)
Ok from "cvs annotate mod_cgi.c util.c" I get this (searching just for
can_exec):
1.30 (randy 25-Jan-97): if (!suexec_enabled) {
1.30 (randy 25-Jan-97): if (!can_exec(&r->finfo))
1.30 (randy 25-Jan-97): return log_scripterror(r, conf,
FORBIDDEN,
1.30 (randy 25-Jan-97): "file
permissions deny server execution");
1.30 (randy 25-Jan-97): }
And for can_exec() itself:
1.61 (ben 13-Jul-97): API_EXPORT(int) can_exec(const struct stat
*finfo) {
1.22 (jim 02-Oct-96): #ifdef MULTIPLE_GROUPS
1.19 (jim 23-Sep-96): int cnt;
1.22 (jim 02-Oct-96): #endif
1.53 (ben 15-Jun-97): #if defined(__EMX__) || defined(WIN32)
1.2 (ben 22-Feb-96): /* OS/2 dosen't have Users and Groups */
1.37 (randy 28-Dec-96): return 1;
1.2 (ben 22-Feb-96): #else
1.1 (cvs 14-Jan-96): if(user_id == finfo->st_uid)
1.1 (cvs 14-Jan-96): if(finfo->st_mode & S_IXUSR)
1.1 (cvs 14-Jan-96): return 1;
1.22 (jim 02-Oct-96): if(group_id == finfo->st_gid)
1.22 (jim 02-Oct-96): if(finfo->st_mode & S_IXGRP)
1.22 (jim 02-Oct-96): return 1;
1.22 (jim 02-Oct-96): #ifdef MULTIPLE_GROUPS
1.19 (jim 23-Sep-96): for(cnt=0; cnt < NGROUPS_MAX; cnt++) {
1.19 (jim 23-Sep-96): if(group_id_list[cnt] ==
finfo->st_gid)
1.19 (jim 23-Sep-96): if(finfo->st_mode & S_IXGRP)
1.19 (jim 23-Sep-96): return 1;
1.19 (jim 23-Sep-96): }
1.22 (jim 02-Oct-96): #endif
1.1 (cvs 14-Jan-96): return (finfo->st_mode & S_IXOTH);
1.2 (ben 22-Feb-96): #endif
1.1 (cvs 14-Jan-96): }
So it's all pretty old code. (Note the annotations are from the HEAD
which is 1.3a2-dev at the moment rather than 1.2.1 ...)
But it looks to me like it should work if the file is gid of the webserver
and g+x is set ... that's one of the tests in there. So yeah if you
could dig a bit further that'd be great. Thanks
Dean
