I did find the following, which seems relevant but I have no idea if
doing this would be ok or not.
Number: 6637
Category: suexec
Synopsis: suexec doesn't use setusercontext() and related
Confidential: no
Severity: non-critical
Priority: medium
Responsible: apache
State: open
Quarter:
Keywords:
Date-Required:
Class: change-request
Submitter-Id: apache
Arrival-Date: Fri Oct 06 21:30:00 PDT 2000
Closed-Date:
Last-Modified:
Originator: [EMAIL PROTECTED]
Release: 1.3.12
Organization:
apache
Environment:
FreeBSD - all version. My version is 4.1 (base). GNU cc..
Description:
FreeBSD (probably other BSD flavors.. I don't know what O/S'es have this
functionality) employs a login capabilities database wherein certain classes of
users can have limits imposed upon them, such as max cpu time, memory, # of
procs, filesize, etc. It's a wonderful addition to my suexec (see patch below;
I'm sure it needs to be MUCH better than what I've done for general
distribution) - it helps prevent runaway cgi's.
If you need more info on these routines or a platform or anything, I'll lend a
hand.
Thanks!
How-To-Repeat:
Fix:
diff -u suexec.c suexec.c.orig
--- suexec.c Sat Sep 2 18:08:04 2000
+++ suexec.c.orig Sat Sep 2 16:28:54 2000
@@ -90,10 +90,6 @@
#include <stdarg.h>
-/* LOCAL CODE ADDITION */
-#include <login_cap.h>
-/* END LOCAL CODE ADDITION */
-
#include "suexec.h"
/*
@@ -441,22 +437,6 @@
log_err("emerg: failed to setuid (%ld: %s)\n", uid, cmd);
exit(110);
}
-
- /*
- * (LOCAL CODE ADDITION)
- * setusercontext() so login.conf's settings take effect
- * Above, there's a comment that says:
- * Save these for later since initgroups will hose the struct
- * Which means that the 'pw' struct should be hosed by now.. but
- * I don't see why, and this seems to work fine, at least for FreeBSD
- */
-
- if ((setusercontext(NULL, pw, uid, LOGIN_SETRESOURCES)) != 0) {
- log_err("emerg: Failed to setusercontext(%ld: %s)\n", uid, cmd);
- exit(130);
- }
-
- /* END LOCAL CODE ADDITION */
/*
* Get the current working directory, as well as the proper
Release-Note:
Audit-Trail:
Unformatted:
[In order for any reply to be added to the PR database, you need]
[to include <[EMAIL PROTECTED]> in the Cc line and make sure the]
[subject line starts with the report component and number, with ]
[or without any 'Re:' prefixes (such as "general/1098:" or ]
["Re: general/1098:"). If the subject doesn't match this ]
[pattern, your message will be misfiled and ignored. The ]
["apbugs" address is not added to the Cc line of messages from ]
[the database automatically because of the potential for mail ]
[loops. If you do not include this Cc, your reply may be ig- ]
[nored unless you are responding to an explicit request from a ]
[developer. Reply only with text; DO NOT SEND ATTACHMENTS! ]
OpenBSD 4.3 has suexec.c section as:
#if defined(USE_SETUSERCONTEXT)
if (setusercontext(NULL, pw, uid,
LOGIN_SETALL & ~(LOGIN_SETLOGIN | LOGIN_SETPATH)) != 0) {
log_err("emerg: failed to setusercontext (%u: %s)\n", uid, cmd);
exit(110);
}
#else
/*
* Change UID/GID here so that the following tests work over NFS.
*
* Initialize the group access list for the target user,
* and setgid() to the target group. If unsuccessful, error out.
*/
if (((setgid(gid)) != 0) || (initgroups(actual_uname, gid) != 0)) {
log_err("emerg: failed to setgid (%u: %s)\n", gid, cmd);
exit(109);
}
/*
* setuid() to the target user. Error out on fail.
*/
if ((setuid(uid)) != 0) {
log_err("emerg: failed to setuid (%u: %s)\n", uid, cmd);
exit(110);
}
#endif
Chris Bennett wrote:
I am upgrading 4.0 to 4.3, overwriting everything to change partition
layout.
Apache seems to be working fine except for cgi
I get in suexec_log:
[2008-05-05 00:53:03]: info: (target/actual) uid: (chris002/chris002)
gid: (bencon/bencon) cmd: search.pl
[2008-05-05 00:53:03]: emerg: failed to setusercontext (5001: search.pl)
[2008-05-05 00:56:54]: info: (target/actual) uid: (chris002/chris002)
gid: (bencon/bencon) cmd: search.pl
[2008-05-05 00:56:54]: emerg: failed to setusercontext (5001: search.pl)
I can't find anything searching the web except programmer's bug notes
which don't apply.
What is this error? What do I need to check (I have even tried adding
a new user and chowning to that uid and gid.
Didn't help but also didn't change error output at all in suexec_log
(stayed EXACTLY as above, even after stopping apache and/or rebooting)
Thanks,
Chris
