On 29/06/2022 16:51, MK wrote:
Package: apache2
Version: 2.4.53-1~deb11u1
Severity: minor
Dear Maintainer,
*** Reporter, please consider answering these questions, where appropriate ***
Enabling cgid in apache2 (with a2enmod cgid) results in an error when using
mpm_event:
[cgid:error] [pid 8943:tid 140189712234240] (22)Invalid argument: [client
x.x.x.x:49364] AH01257: unable to connect to cgi daemon after multiple tries:
/usr/lib/cgi-bin/xxxxxx
Meanwhile, the user receives a 503 HTTP error, rather than the CGI content.
Upon launch, Apache creates /var/run/apache2/cgisock.PID (where PID is the PID
in question), however it does that as the www-data user and root group, who
does not have write access to /var/run/apache2 (where only the root user has
write permission).
To fix this, chmod g+rwx /var/run/apache2 fixes the issue. Since we're only
adding the root group, this likely has a minimal security effect.
Alternately, the default directive of
/etc/apache2/mods-available/cgid.conf: ScriptSock
${APACHE_RUN_DIR}/cgisock
Should not point to a folder that does not have write access by www-data user
and a subfolder with more open permission should be created.
Hi,
Thanks for the report. Alternative: I tried to move cgid socket into
${APACHE_RUN_DIR}/socks/cgisock, created now by apache2ctl and owned by
www-data
(https://salsa.debian.org/apache-team/apache2/-/pipelines/395609). Then
no security changes.
Let's wait for pipeline result