Re: Apache suexec problem

2008-05-05 Thread Louis V. Lambrecht
Dan Harnett wrote: On Mon, May 05, 2008 at 11:39:03AM -0500, Chris Bennett wrote: Actually I didn't, checked that right after I posted, BUT it was already set as setuid!! A mistake in release?? No. There is no mistake. $ sudo chmod u+s /usr/sbin/suexec $ ls -l /usr/sbin/suexec -r-sr-

Re: Apache suexec problem

2008-05-05 Thread Chris Bennett
I tried renaming suexec to suexec.bak this produced the result of some scripts working, others don't These are all tested scripts I am now concerned that there may be a hardware problem How can I check out the disk in OpenBSD? fsck doesn't seem to really do any write testing. I saw a previous pos

Re: Apache suexec problem

2008-05-05 Thread Chris Bennett
Good idea, but I just checked and /usr is not nosuid Stuart Henderson wrote: On 2008-05-05, Chris Bennett <[EMAIL PROTECTED]> wrote: I am upgrading 4.0 to 4.3, overwriting everything to change partition layout. Did you somehow end up with suexec on a partition mounted "nosuid"?

Re: Apache suexec problem

2008-05-05 Thread Stuart Henderson
On 2008-05-05, Chris Bennett <[EMAIL PROTECTED]> wrote: > I am upgrading 4.0 to 4.3, overwriting everything to change partition > layout. Did you somehow end up with suexec on a partition mounted "nosuid"?

Re: Apache suexec problem

2008-05-05 Thread Dan Harnett
On Mon, May 05, 2008 at 11:39:03AM -0500, Chris Bennett wrote: > Actually I didn't, checked that right after I posted, BUT it was > already set as setuid!! A mistake in release?? No. There is no mistake. $ sudo chmod u+s /usr/sbin/suexec $ ls -l /usr/sbin/suexec -r-sr-xr-x 1 root bin 12068 Ma

Re: Apache suexec problem

2008-05-05 Thread Chris Bennett
Actually I didn't, checked that right after I posted, BUT it was already set as setuid!! A mistake in release?? Dan Harnett wrote: On Mon, May 05, 2008 at 08:36:27AM -0500, Chris Bennett wrote: I am upgrading 4.0 to 4.3, overwriting everything to change partition layout. Apache seems to b

Re: Apache suexec problem

2008-05-05 Thread Dan Harnett
On Mon, May 05, 2008 at 08:36:27AM -0500, Chris Bennett wrote: > I am upgrading 4.0 to 4.3, overwriting everything to change partition > layout. > Apache seems to be working fine except for cgi > I get in suexec_log: > [2008-05-05 00:53:03]: info: (target/actual) uid: (chris002/chris002) gid: >

Re: Apache suexec problem

2008-05-05 Thread Marc Espie
I've looked a bit at suexec, trying to make it go saner. I still cringe. The model is intrinsically broken, for a lot of reasons. I don't think it's feasible to fix suexec for real. You've got to realize that suexec basically *elevates* a process to root, making its decision on its name and variou

Re: Apache suexec problem

2008-05-05 Thread Chris Bennett
I also just found on openbsd.org/plus34.html: Use setusercontext(3) instead of roll-your-own in httpd(8) , so that login.conf(5)

Re: Apache suexec problem

2008-05-05 Thread Chris Bennett
I did find the following, which seems relevant but I have no idea if doing this would be ok or not. Number: 6637 Category: suexec Synopsis: suexec doesn't use setusercontext() and related Confidential: no Severity: non-critical Priority: medium Responsible:

Apache suexec problem

2008-05-05 Thread Chris Bennett
I am upgrading 4.0 to 4.3, overwriting everything to change partition layout. Apache seems to be working fine except for cgi I get in suexec_log: [2008-05-05 00:53:03]: info: (target/actual) uid: (chris002/chris002) gid: (bencon/bencon) cmd: search.pl [2008-05-05 00:53:03]: emerg: failed to se