Bug#1014056: marked as done (apache2: /var/run/apache2 permissions too narrow for cgid)

[Debian Bug Tracking System]

Your message dated Fri, 08 Jul 2022 07:04:02 +0000
with message-id <e1o9i1y-000hp6...@fasolo.debian.org>
and subject line Bug#1014056: fixed in apache2 2.4.54-2
has caused the Debian Bug report #1014056,
regarding apache2: /var/run/apache2 permissions too narrow for cgid
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
1014056: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1014056
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Package: apache2
Version: 2.4.53-1~deb11u1
Severity: minor


Dear Maintainer,


*** Reporter, please consider answering these questions, where appropriate ***


Enabling cgid in apache2 (with a2enmod cgid) results in an error when using 
mpm_event:
    [cgid:error] [pid 8943:tid 140189712234240] (22)Invalid argument: [client 
x.x.x.x:49364] AH01257: unable to connect to cgi daemon after multiple tries: 
/usr/lib/cgi-bin/xxxxxx
Meanwhile, the user receives a 503 HTTP error, rather than the CGI content.

Upon launch, Apache creates /var/run/apache2/cgisock.PID (where PID is the PID 
in question), however it does that as the www-data user and root group, who 
does not have write access to /var/run/apache2 (where only the root user has 
write permission).

To fix this, chmod g+rwx /var/run/apache2 fixes the issue.  Since we're only 
adding the root group, this likely has a minimal security effect.

Alternately, the default directive of
    /etc/apache2/mods-available/cgid.conf:    ScriptSock 
${APACHE_RUN_DIR}/cgisock
Should not point to a folder that does not have write access by www-data user 
and a subfolder with more open permission should be created.

-- Package-specific info:


-- System Information:
Debian Release: 11.3
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'stable')
Architecture: amd64 (x86_64)


Kernel: Linux 5.10.0-15-amd64 (SMP w/4 CPU threads)
Locale: LANG=en_CA.UTF-8, LC_CTYPE=en_CA.UTF-8 (charmap=UTF-8), 
LANGUAGE=en_CA:en
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled


Versions of packages apache2 depends on:
ii  apache2-bin          2.4.53-1~deb11u1
ii  apache2-data         2.4.53-1~deb11u1
ii  apache2-utils        2.4.53-1~deb11u1
ii  dpkg                 1.20.10
ii  init-system-helpers  1.60
ii  lsb-base             11.1.0
ii  mime-support         3.66
ii  perl                 5.32.1-4+deb11u2
ii  procps               2:3.3.17-5


Versions of packages apache2 recommends:
ii  ssl-cert  1.1.0+nmu1


Versions of packages apache2 suggests:
pn  apache2-doc                                      <none>
pn  apache2-suexec-pristine | apache2-suexec-custom  <none>
pn  www-browser                                      <none>


Versions of packages apache2-bin depends on:
ii  libapr1                  1.7.0-6+deb11u1
ii  libaprutil1              1.6.1-5
ii  libaprutil1-dbd-sqlite3  1.6.1-5
ii  libaprutil1-ldap         1.6.1-5
ii  libbrotli1               1.0.9-2+b2
ii  libc6                    2.31-13+deb11u3
ii  libcrypt1                1:4.4.18-4
ii  libcurl4                 7.74.0-1.3+deb11u1
ii  libjansson4              2.13.1-1.1
ii  libldap-2.4-2            2.4.57+dfsg-3+deb11u1
ii  liblua5.3-0              5.3.3-1.1+b1
ii  libnghttp2-14            1.43.0-1
ii  libpcre3                 2:8.39-13
ii  libssl1.1                1.1.1n-0+deb11u3
ii  libxml2                  2.9.10+dfsg-6.7+deb11u2
ii  perl                     5.32.1-4+deb11u2
ii  zlib1g                   1:1.2.11.dfsg-2+deb11u1


Versions of packages apache2-bin suggests:
pn  apache2-doc                                      <none>
pn  apache2-suexec-pristine | apache2-suexec-custom  <none>
pn  www-browser                                      <none>


Versions of packages apache2 is related to:
ii  apache2      2.4.53-1~deb11u1
ii  apache2-bin  2.4.53-1~deb11u1


-- no debconf information

--- End Message ---

--- Begin Message ---

Source: apache2
Source-Version: 2.4.54-2
Done: Yadd <y...@debian.org>

We believe that the bug you reported is fixed in the latest version of
apache2, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1014...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Yadd <y...@debian.org> (supplier of updated apache2 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Tue, 05 Jul 2022 15:49:58 +0200
Source: apache2
Built-For-Profiles: nocheck
Architecture: source
Version: 2.4.54-2
Distribution: unstable
Urgency: medium
Maintainer: Debian Apache Maintainers <debian-apache@lists.debian.org>
Changed-By: Yadd <y...@debian.org>
Closes: 1014056
Changes:
 apache2 (2.4.54-2) unstable; urgency=medium
 .
   * Move cgid socket into a writeable directory (Closes: #1014056)
   * Update lintian overrides
   * Declare compliance with policy 4.6.1
   * Install NOTICE in each package
Checksums-Sha1: 
 226a920fa24572c8830260faabf41cd54f489263 3488 apache2_2.4.54-2.dsc
 ce536f24a36c06243b691c9ca164c4e3eba875ca 899544 apache2_2.4.54-2.debian.tar.xz
Checksums-Sha256: 
 a7a5025128d97f4477819a9f77eea997cdd3c509e6f7e1db011ea53ba297f44a 3488 
apache2_2.4.54-2.dsc
 a7f1eea74cdd1566b8af3df1fcd46dc2457eb705380bccd4c3c8bdfa3774712d 899544 
apache2_2.4.54-2.debian.tar.xz
Files: 
 f65a84c5fae1dce3c96ba8dea6f6401e 3488 httpd optional apache2_2.4.54-2.dsc
 acb82e34859ad39e7b500c8dd9b06078 899544 httpd optional 
apache2_2.4.54-2.debian.tar.xz

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEAN/li4tVV3nRAF7J9tdMp8mZ7ukFAmLH0UkACgkQ9tdMp8mZ
7unoTQ//WgEAsikONdZugcR8Z9bJIqgH+NHxGm5Nq4R7JxHvAe/J2BH9njDNvuQo
3IGPSkmYP0MuaLjBpxEIrwYae9ek5n7TS38yjFh6imYqPWyTEsihNqehO495+mDC
EpREpCOVOuxbl6ApiIhe+S24vrJHVj3KdVh5AR5fUq9lyu16qu5nYvqob4LLEGXZ
x9ba5peklYRqr9TrBfsM84Cxlz3m75i+09U9PXWLBEy/Gh3QvEGXYHQR4ua8eDG0
YdQ1ORjQoFGFZWMBKRxyifzO2ZMh6BgSdfxyjKr9BDgIHKPM8X/XVi1Nyq6Xs2aT
Up8XyJF/AN9yiQYk4DdjD4TEpiINSejI635w4LUU/EzKFXVDEOG54uT7Ni4z5mv0
ABqL58Y+eLDwrmBUbkVuYbhH8SE1k3yHALnuB3pYi4OO1Pvz7qNO/ms2FBNrtk6J
jwJcf8M35R3KFq6YtAsuO9TbX/Wefi4E5KtujMXSTZEdA/o6kNjPUQeHaJ5ZJ9sT
0JUd9pk1L8VeJv/OZW++2N+QvZnP3VgzXM3hP6+jNNgDQjq+n+a30NAdMjK3cCL1
ARMoSwboIwmGLLMEHovz7dlYbV0+pXaeMBxgwIs5R2mZfTYRKERSwbkW10bM1HF4
fKgAJUJJhgkLqTnjAOeHwuEtLIljNw19Vw4Zq6gbk/4foD4bJhM=
=WEvL
-----END PGP SIGNATURE-----

--- End Message ---