Re: suexec: disabled; invalid wrapper /usr/sbin/suexec
Jeremy Huiskamp wrote: suexec: disabled; invalid wrapper /usr/sbin/suexec Did you read suexec(8)? I expect you mean this? Because this program is only used internally by httpd(8), there are no other ways to directly invoke suexec. No. I was looking at mod_perl and have no plans in the near future to try suexec. The error makes some sense in the context above. Regards -Lars
Re: suexec: disabled; invalid wrapper /usr/sbin/suexec
On 1-Sep-08, at 3:17 AM, Lars Noodin wrote: Jeremy Huiskamp wrote: suexec: disabled; invalid wrapper /usr/sbin/suexec Did you read suexec(8)? I expect you mean this? Because this program is only used internally by httpd(8), there are no other ways to directly invoke suexec. No. I was looking at mod_perl and have no plans in the near future to try suexec. The error makes some sense in the context above. Regards -Lars No, I meant this: In order to work correctly, the suexec binary should be owned by ``root'' and have the SETUID execution bit set. OpenBSD currently does not in- stall suexec with the SETUID bit set, so a change of file mode is neces- sary to enable it...
Re: suexec: disabled; invalid wrapper /usr/sbin/suexec
Jeremy Huiskamp wrote: No, I meant this: In order to work correctly, the suexec binary should be owned by ``root'' and have the SETUID execution bit set. OpenBSD currently does not in- stall suexec with the SETUID bit set, so a change of file mode is neces- sary to enable it... Thanks. Interesting. I thought SUID-root scripts were vulnerable to race condition-based vulnerabilities, among other things. Is that also the case for OpenBSD? If not, why? Alternately, how lame would it be to have one suexec per suexec-user and have each copy owned by that user? That would at least avoid having it operate as root. Regards, -Lars
Re: suexec: disabled; invalid wrapper /usr/sbin/suexec
On Mon, Sep 01, 2008 at 10:17:34AM +0300, Lars Nood??n wrote: Jeremy Huiskamp wrote: suexec: disabled; invalid wrapper /usr/sbin/suexec Did you read suexec(8)? I expect you mean this? Because this program is only used internally by httpd(8), there are no other ways to directly invoke suexec. No. The next paragraph.
Re: suexec: disabled; invalid wrapper /usr/sbin/suexec
* Lars Noodin [EMAIL PROTECTED] [2008-09-01 10:05]: Jeremy Huiskamp wrote: No, I meant this: In order to work correctly, the suexec binary should be owned by ``root'' and have the SETUID execution bit set. OpenBSD currently does not in- stall suexec with the SETUID bit set, so a change of file mode is neces- sary to enable it... Thanks. Interesting. I thought SUID-root scripts were vulnerable to race condition-based vulnerabilities, among other things. Is that also the case for OpenBSD? If not, why? [EMAIL PROTECTED] $ file /usr/sbin/suexec /usr/sbin/suexec: ELF 64-bit MSB executable, SPARC64, version 1, for OpenBSD, dynamically linked (uses shared libs), stripped - not a script. Alternately, how lame would it be to have one suexec per suexec-user and have each copy owned by that user? That would at least avoid having it operate as root. oh holy root, must be avoided at any cost, right. go read suexec code. even docs would be a good start. first thing it does after being invoked is dropping privileges to the target user account. -- Henning Brauer, [EMAIL PROTECTED], [EMAIL PROTECTED] BS Web Services, http://bsws.de Full-Service ISP - Secure Hosting, Mail and DNS Services Dedicated Servers, Rootservers, Application Hosting - Hamburg Amsterdam
Re: suexec: disabled; invalid wrapper /usr/sbin/suexec
Hi! On Sun, Aug 31, 2008 at 05:01:20PM -0400, Jeremy Huiskamp wrote: Did you read suexec(8)? Wouldn't one also need to copy over the suexec binary to the chroot for chrooted httpds, nowadays? That isn't mentioned in the suexec(8) manual page. Kind regards, Hannah.
Re: suexec: disabled; invalid wrapper /usr/sbin/suexec
On 31-Aug-08, at 3:21 PM, Lars Noodin wrote: Listing the modules in Apache/1.3.29 (4.4-current base, i386 snapshot from 29 Aug) gives a warning regarding suexec. Regards -Lars # httpd -l Compiled-in modules: http_core.c mod_env.c . . . mod_ssl.c suexec: disabled; invalid wrapper /usr/sbin/suexec Did you read suexec(8)?