Your message dated Sat, 12 Mar 2005 13:26:42 -0800 with message-id <[EMAIL PROTECTED]> and subject line Bug#299191: Not suexec has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what I am talking about this indicates a serious mail system misconfiguration somewhere. Please contact me immediately.) Debian bug tracking system administrator (administrator, Debian Bugs database) -------------------------------------- Received: (at submit) by bugs.debian.org; 12 Mar 2005 13:18:26 +0000 >From [EMAIL PROTECTED] Sat Mar 12 05:18:26 2005 Return-path: <[EMAIL PROTECTED]> Received: from 24-180-36-132.cs-cres.charterpipeline.net (iceqube) [24.180.36.132] by spohr.debian.org with esmtp (Exim 3.35 1 (Debian)) id 1DA6Vd-0004Xv-00; Sat, 12 Mar 2005 05:18:25 -0800 Received: by iceqube (Postfix, from userid 1000) id 5A743116FA; Sat, 12 Mar 2005 05:17:53 -0800 (PST) Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit From: Charles Stevenson <[EMAIL PROTECTED]> To: Debian Bug Tracking System <[EMAIL PROTECTED]> Subject: apache2-common: suexec sets incorrect gid and groups X-Mailer: reportbug 3.8 Date: Sat, 12 Mar 2005 05:17:52 -0800 Message-Id: <[EMAIL PROTECTED]> Delivered-To: [EMAIL PROTECTED] X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02 (1.212-2003-09-23-exp) on spohr.debian.org X-Spam-Status: No, hits=-8.0 required=4.0 tests=BAYES_00,HAS_PACKAGE autolearn=no version=2.60-bugs.debian.org_2005_01_02 X-Spam-Level: Package: apache2-common Version: 2.0.53-5 Severity: grave Justification: user security hole I'm fairly certain this is specific to the MIPS port. I looked at the source and did some tests and am a bit perplexed. I thought it was a signedness issue, integer overflow I think they call it. In any case here's the rundown. Apache is running as nobody/nogroup (65534/65534). I was having some luser errors with a CGI script so I dropped a simple command execution script in /usr/lib/cgi-bin/ to see if CGI worked in general which it does. In any case I ran /usr/bin/id and noticed my gid was wrong as well as my groups. I created a file just to ensure the problem wasn't within id and did an ls on the file. It seems that it's a problem with suexec itself. My box is slow as can be and I've just about given up trying to build it from source and see for myself but I imagine that perhaps this is built with a cross-compiler. And that somehow the signedness is incured in this fashion. I did test getgrnam and it returns correct information. Here's some output from my lil' script: $ id uid=65534(nobody) gid=1(daemon) groups=4294967295 $ touch /tmp/nobody_was_here $ ls -l /tmp/nobody_was_here -rw-r--r-- 1 nobody 4294967295 0 Mar 12 05:11 /tmp/nobody_was_here Anyways this can in theory lead to some strange privelege elevation given the gid of daemon. I chose grave since it seemed fitting although in truth it's probably not a huge issue? There were no error logged. Anyways if I can fix strace to work or get this to compile I might be able to send a patch or more useful info. For now it's still running configure... ;) peace, core -- System Information: Debian Release: 3.1 APT prefers testing APT policy: (500, 'testing') Architecture: mipsel (mips) Kernel: Linux 2.4.27-r5k-cobalt Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968) Versions of packages apache2-common depends on: ii apache2-utils 2.0.53-5 utility programs for webservers ii debconf 1.4.30.11 Debian configuration management sy ii debianutils 2.8.4 Miscellaneous utilities specific t ii libc6 2.3.2.ds1-20 GNU C Library: Shared libraries an ii libdb4.2 4.2.52-18 Berkeley v4.2 Database Libraries [ ii libexpat1 1.95.8-1 XML parsing C library - runtime li ii libgcc1 1:3.4.3-6 GCC support library ii libmagic1 4.12-1 File type determination library us ii mime-support 3.28-1 MIME files 'mime.types' & 'mailcap ii net-tools 1.60-10 The NET-3 networking toolkit ii openssl 0.9.7e-2 Secure Socket Layer (SSL) binary a ii ssl-cert 1.0-11 Simple debconf wrapper for openssl -- no debconf information --------------------------------------- Received: (at 299191-done) by bugs.debian.org; 12 Mar 2005 21:26:45 +0000 >From [EMAIL PROTECTED] Sat Mar 12 13:26:45 2005 Return-path: <[EMAIL PROTECTED]> Received: from dsl093-039-086.pdx1.dsl.speakeasy.net (localhost.localdomain) [66.93.39.86] by spohr.debian.org with esmtp (Exim 3.35 1 (Debian)) id 1DAE8C-0008IH-00; Sat, 12 Mar 2005 13:26:44 -0800 Received: by localhost.localdomain (Postfix, from userid 1000) id 536E5171D21; Sat, 12 Mar 2005 13:26:42 -0800 (PST) Date: Sat, 12 Mar 2005 13:26:42 -0800 From: Steve Langasek <[EMAIL PROTECTED]> To: Charles Stevenson <[EMAIL PROTECTED]>, [EMAIL PROTECTED] Subject: Re: Bug#299191: Not suexec Message-ID: <[EMAIL PROTECTED]> References: <[EMAIL PROTECTED]> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="s9fJI615cBHmzTOP" Content-Disposition: inline In-Reply-To: <[EMAIL PROTECTED]> User-Agent: Mutt/1.5.6+20040907i Delivered-To: [EMAIL PROTECTED] X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02 (1.212-2003-09-23-exp) on spohr.debian.org X-Spam-Status: No, hits=-6.0 required=4.0 tests=BAYES_00,HAS_BUG_NUMBER autolearn=no version=2.60-bugs.debian.org_2005_01_02 X-Spam-Level: --s9fJI615cBHmzTOP Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Sat, Mar 12, 2005 at 06:07:37AM -0800, Charles Stevenson wrote: > Apparently I'm too tired to be sending bug reports ;-) It appears that > suexec is not involved. My Qube2 finally finished running configure. I > think the solution is in apache2.conf to use www-data for User and > Group. Fixed the problems here :) Sorry for the bother. I think it has > to do with "don't use Group #-1 on these systems!" Group #-1 doesn't map to nogroup (65534); uids and gids on modern GNU/Linux systems are 32-bit values, not 16-bit values. Since there is indeed no privilege escalation here, I don't believe this is a bug at all. Thanks, --=20 Steve Langasek postmodern programmer --s9fJI615cBHmzTOP Content-Type: application/pgp-signature; name="signature.asc" Content-Description: Digital signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.5 (GNU/Linux) iD8DBQFCM16LKN6ufymYLloRAqMJAKDEWI3M0nuLrvTTNW+1Bik9O3wL3wCfYYw0 OD+Iaxd6SMnSdq6dzuJUTbw= =jopp -----END PGP SIGNATURE----- --s9fJI615cBHmzTOP-- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]