Re: [mp2] mod_perl test suite fails

Tue, 09 Dec 2003 10:22:10 -0800

Volker Kroll wrote:
On Tue, 2003-12-09 at 00:09, Stas Bekman wrote:

[Volker has sent me the long output offline, so I'm just quoting the interesting parts here]


I also want to see the console messages (not error_log) when you run from under /root/mod_perl-1.99_11/ as you did it in first place. 

> ulimit -c unlimited; t/TEST -bugreport -verbose=0
> *** root mode: changing the files ownership to 'nobody' (99:99)
> *** /usr/bin/perl -e '     require POSIX;     POSIX::setuid(99);
> POSIX::setgid(99);     print -r q{/root/mod_perl-1.99_11/t} &&  -w _ &&
> -x _ ? q{OK} : q{NOK}; '
>
> *** result: OK

That explains the problem. My test to check whether user 'nobody' will be able to access files under /root seems to pass, but when Apache starts as nobody it doesn't.

Can you please show us the perms of your /root directory? e.g. on my machine it's:

drwx------ 43 root root 4096 Dec 8 14:31 root 

drwxr-x---   19 root     root         4096 Dec  8 19:11 root
(Bad permissions for a root directory, but it is default on fedora core.


% grep nobody /etc/passwd

nobody:x:99:99:Nobody:/:/sbin/nologin

is it possible that nobody is in the the root group?

May be POSIX::setuid(99) fails? Does running the following as root:

% /usr/bin/perl -le 'require POSIX; POSIX::setuid(99); POSIX::setgid(99); \
  print -r q{/root} &&  -w _ && -x _ ? q{OK} : q{NOK}; '

gives you:

OK?


Yes it does.

How about:

% su - nobody
% perl -le 'print -r q{/root} &&  -w _ && -x _ ? q{OK} : q{NOK}; '

If it does, the following will probably fail too:

perl -le 'require POSIX; POSIX::setuid(99) or die "failed to run: $@";'


no error/ no output with this line.

OK, so POSIX::setuid(99) is not failing.

and this?

% /usr/bin/perl -le 'require POSIX;  \
  POSIX::setuid(99) or die "NOK"; \
  POSIX::setgid(99) or die "NOK"; \
  print -r q{/root} &&  -w _ && -x _ ? q{OK} : q{NOK}; '

gives OK

So you see, a user 'nobody' somehow can read, write and execute things in the /root directory. So either something is horribly broken on your system, or POSIX::setuid is failing silently and the test is still running as root and therefore succeeds. The 'su - nobody' test above should give us the answer where the fault is.



__________________________________________________________________
Stas Bekman            JAm_pH ------> Just Another mod_perl Hacker
http://stason.org/     mod_perl Guide ---> http://perl.apache.org
mailto:[EMAIL PROTECTED] http://use.perl.org http://apacheweek.com
http://modperlbook.org http://apache.org   http://ticketmaster.com


---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Reply via email to