Re: mod_cgi/3784: CGI scripts not executed if gid not equal to server's gid
[In order for any reply to be added to the PR database, ] [you need to include [EMAIL PROTECTED] in the Cc line ] [and leave the subject line UNCHANGED. This is not done] [automatically because of the potential for mail loops. ] [If you do not include this Cc, your reply may be ig- ] [nored unless you are responding to an explicit request ] [from a developer. ] [Reply only with text; DO NOT SEND ATTACHMENTS! ] Synopsis: CGI scripts not executed if gid not equal to server's gid State-Changed-From-To: open-feedback State-Changed-By: dgaudet State-Changed-When: Tue Apr 20 18:51:19 PDT 1999 State-Changed-Why: Are you still having this problem? MULTIPLE_GROUPS is in fact useless and should be removed... it won't help you. The initgroups() call takes care of setting the groups. I have no problem with multiple groups ... you have to start the server as root -- the geteuid() is necessary, initgroups() won't succeed unless you do it as root. Dean
Re: mod_cgi/3784: CGI scripts not executed if gid not equal to server's gid
The following reply was made to PR mod_cgi/3784; it has been noted by GNATS. From: Nigel Cole [EMAIL PROTECTED] To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: Re: mod_cgi/3784: CGI scripts not executed if gid not equal to server's gid Date: Wed, 21 Apr 1999 16:07:30 +0100 In message [EMAIL PROTECTED], [EMAIL PROTECTED] writes Are you still having this problem? MULTIPLE_GROUPS is in fact useless and should be removed... it won't help you. The initgroups() call takes care of setting the groups. I have no problem with multiple groups ... you have to start the server as root -- the geteuid() is necessary, initgroups() won't succeed unless you do it as root. Yes, I'm still having this problem. Apache will not run a cgi-bin script that lacks world-execute permissions, unless the script is group-owned by the same group that the server is running as. This is with suexec disabled; OS is Solaris 2.6. The error message (file permissions deny server execution) is being produced in mod_cgi.c because a call to ap_can_exec() is returning 0. Examining ap_can_exec() in util.c, if MULTIPLE_GROUPS is undefined, then group_id_list[] is never examined, and the only group test is: if (ap_group_id == finfo-st_gid) if (finfo-st_mode S_IXGRP) return 1; MULTIPLE_GROUPS is not defined anywhere in the Apache source; the only occurrences I could find were all #ifdef MULTIPLE_GROUPS If MULTIPLE_GROUPS is defined, the server *can* execute the scripts, but then the second problem appears: the necessary array group_id_list is set with a call to getgroups, but only if the server is started as root. initgroups is not the problem - the problem is in the function set_group_privs. -- Nigel Cole
Re: mod_cgi/3784: CGI scripts not executed if gid not equal to server's gid
[In order for any reply to be added to the PR database, ] [you need to include [EMAIL PROTECTED] in the Cc line ] [and leave the subject line UNCHANGED. This is not done] [automatically because of the potential for mail loops. ] [If you do not include this Cc, your reply may be ig- ] [nored unless you are responding to an explicit request ] [from a developer. ] [Reply only with text; DO NOT SEND ATTACHMENTS! ] Synopsis: CGI scripts not executed if gid not equal to server's gid State-Changed-From-To: feedback-analyzed State-Changed-By: dgaudet State-Changed-When: Wed Apr 21 10:22:58 PDT 1999 State-Changed-Why: Oh it's that stupid code in mod_cgi again which pretends to implement unix access control semantics! Ugh. Why the heck didn't we get rid of this the last time it cropped up as a bug? It's in the new-httpd archives somewhere. Thanks for the clarification. Dean