The following reply was made to PR mod_cgi/3784; it has been noted by GNATS.
From: Nigel Cole <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED]
Subject: Re: mod_cgi/3784: CGI scripts not executed if gid not equal to
server's gid
Date: Wed, 21 Apr 1999 16:07:30 +0100
In message <[EMAIL PROTECTED]>,
[EMAIL PROTECTED] writes
>Are you still having this problem?
>
>MULTIPLE_GROUPS is in fact useless and should be removed... it
>won't help you.
>
>The initgroups() call takes care of setting the groups.
>
>I have no problem with multiple groups ... you have to
>start the server as root -- the geteuid() is necessary,
>initgroups() won't succeed unless you do it as root.
Yes, I'm still having this problem. Apache will not run a cgi-bin script
that lacks world-execute permissions, unless the script is group-owned
by the same group that the server is running as. This is with suexec
disabled; OS is Solaris 2.6.
The error message ("file permissions deny server execution") is being
produced in mod_cgi.c because a call to ap_can_exec() is returning 0.
Examining ap_can_exec() in util.c, if MULTIPLE_GROUPS is undefined, then
group_id_list[] is never examined, and the only group test is:
if (ap_group_id == finfo->st_gid)
if (finfo->st_mode & S_IXGRP)
return 1;
MULTIPLE_GROUPS is not defined anywhere in the Apache source; the only
occurrences I could find were all #ifdef MULTIPLE_GROUPS
If MULTIPLE_GROUPS is defined, the server *can* execute the scripts, but
then the second problem appears: the necessary array group_id_list is
set with a call to getgroups, but only if the server is started as root.
"initgroups" is not the problem - the problem is in the function
"set_group_privs".
--
Nigel Cole
