RE: [users@httpd] suexec + mod_ldap_user + multiple realms

Adam Hewitt Thu, 01 Dec 2005 01:26:19 -0800

Ok...I have narrowed this down a little bit and I believe that this
issue lies within apache2. A strace has revealed the following:


write(43,
"05\2\1\1`0\2\1\2\4\35cn=XXXXXXX,ou=XXXXXXX,o=XXXXXX\200\fPasswordHere",
55) = 55
select(1024, [43], [], NULL, NULL)      = 1 (in [43])
read(43, "0\f\2\1\1a\7\n", 8)           = 8
read(43, "\1\0\4\0\4\0", 6)             = 6
time(NULL)                              = 1133427499
time(NULL)                              = 1133427499
write(43,
"0t\2\1\2co\4\20ou=XXXXX,o=XXXXX\n\1\2\n\1\0\2\1\2\2\1\0\1\1\0\240;\243\
[EMAIL PROTECTED]
t0\17\4\rhomeDirectory", 118) = 118
select(1024, [43], [], NULL, NULL)      = 1 (in [43])
read(43, "0I\2\1\2dD\4", 8)             = 8
read(43,
"\35cn=177611678,ou=XXXXX,o=XXXXX0#0!\4\rhomeDirectory1\20\4\16/u/0/3/15
72830", 67) = 67
select(1024, [43], [], NULL, NULL)      = 1 (in [43])
read(43, "0\f\2\1\2e\7\n", 8)           = 8
read(43, "\1\0\4\0\4\0", 6)             = 6
time(NULL)                              = 1133427499
stat64("/u/0/3/1572830/filedel.cgi", {st_mode=S_IFREG|0755, st_size=509,
...}) = 0
open("/u/0/.htaccess", O_RDONLY)        = -1 ENOENT (No such file or
directory)
open("/u/0/3/.htaccess", O_RDONLY)      = -1 ENOENT (No such file or
directory)
open("/u/0/3/1572830/.htaccess", O_RDONLY) = -1 ENOENT (No such file or
directory)
open("/u/0/3/1572830/filedel.cgi/.htaccess", O_RDONLY) = -1 ENOTDIR (Not
a directory)
getpid()                                = 2531
pipe([44, 45])                          = 0
fcntl64(45, F_GETFL)                    = 0x1 (flags O_WRONLY)
fcntl64(45, F_SETFL, O_WRONLY|O_NONBLOCK) = 0
pipe([46, 47])                          = 0
fcntl64(46, F_GETFL)                    = 0 (flags O_RDONLY)
fcntl64(46, F_SETFL, O_RDONLY|O_NONBLOCK) = 0
pipe([48, 49])                          = 0
fcntl64(48, F_GETFL)                    = 0 (flags O_RDONLY)
fcntl64(48, F_SETFL, O_RDONLY|O_NONBLOCK) = 0
socket(PF_FILE, SOCK_STREAM, 0)         = 50
connect(50, {sa_family=AF_FILE, path="/var/run/.nscd_socket"}, 110) = 0
writev(50, [{"\2\0\0\0\0\0\0\0\6\0\0\0", 12}, {"sword\0", 6}], 2) = 18
read(50,
"\2\0\0\0\1\0\0\0\6\0\0\0#\0\0\0\10E\r\0i\0\0\0\16\0\0\0\v\0\0\0\1\0\0\0
", 36) = 36
read(50, "sword\0$1$2731ed7a$iHervDgENtghzhbmU5mFQ/\0Not
Available\0/u/s/sword\0\0", 67) = 67
close(50)                               = 0
fork(Process 2556 attached (waiting for parent)
Process 2556 resumed (parent 2531 ready)
)                                  = 2556
[pid  2556] --- SIGSTOP (Stopped (signal)) @ 0 (0) ---
[pid  2556] getpid()                    = 2556
[pid  2556] getrlimit(RLIMIT_STACK, {rlim_cur=2044*1024,
rlim_max=RLIM_INFINITY}) = 0
[pid  2556] setrlimit(RLIMIT_STACK, {rlim_cur=RLIM_INFINITY,
rlim_max=RLIM_INFINITY}) = 0
[pid  2531] close(44)                   = 0
[pid  2556] close(3)                    = 0
[pid  2556] close(41)                   = 0
[pid  2556] close(40)                   = 0
[pid  2556] close(39)                   = 0
[pid  2556] close(38)                   = 0
[pid  2556] close(37)                   = 0
[pid  2556] close(36)                   = 0
[pid  2556] close(35)                   = 0
[pid  2556] close(34)                   = 0
[pid  2556] close(33)                   = 0
[pid  2556] close(32)                   = 0
[pid  2556] close(31)                   = 0
[pid  2556] close(30)                   = 0
[pid  2556] close(29)                   = 0
[pid  2556] close(28)                   = 0
[pid  2556] close(27)                   = 0
[pid  2556] close(25)                   = 0
[pid  2556] close(23)                   = 0
[pid  2556] close(26)                   = 0
[pid  2556] close(22)                   = 0
[pid  2556] close(21)                   = 0
[pid  2556] close(20)                   = 0
[pid  2556] close(19)                   = 0
[pid  2556] close(18)                   = 0
[pid  2556] close(8)                    = 0
[pid  2556] close(6)                    = 0
[pid  2556] close(5)                    = 0
[pid  2556] close(4)                    = 0
[pid  2531] close(47 <unfinished ...>
[pid  2556] close(42 <unfinished ...>
[pid  2531] <... close resumed> )       = 0
[pid  2531] close(49)                   = 0
[pid  2556] <... close resumed> )       = 0
[pid  2531] close(45)                   = 0
[pid  2531] poll( <unfinished ...>
[pid  2556] close(45)                   = 0
[pid  2556] dup2(44, 0)                 = 0
[pid  2556] close(44)                   = 0
[pid  2556] close(46)                   = 0
[pid  2556] dup2(47, 1)                 = 1
[pid  2556] close(47)                   = 0
[pid  2556] close(48)                   = 0
[pid  2556] dup2(49, 2)                 = 2
[pid  2556] close(49)                   = 0
[pid  2556] rt_sigaction(SIGCHLD, {SIG_DFL}, {SIG_DFL}, 8) = 0
[pid  2556] chdir("/u/0/3/1572830/")    = 0
[pid  2556] getpid()                    = 2556
[pid  2556] getrlimit(RLIMIT_STACK, {rlim_cur=RLIM_INFINITY,
rlim_max=RLIM_INFINITY}) = 0
[pid  2556] rt_sigaction(SIGRTMIN, {SIG_DFL}, NULL, 8) = 0
[pid  2556] rt_sigaction(SIGRT_1, {SIG_DFL}, NULL, 8) = 0
[pid  2556] rt_sigaction(SIGRT_2, {SIG_DFL}, NULL, 8) = 0
[pid  2556] execve("/usr/lib/apache2/suexec2",
["/usr/lib/apache2/suexec2", "~869640", "105", "filedel.cgi"], [/* 20
vars */]) = 0


As you can see here, Apache finds the correct home directory after
looking it up from LDAP (/u/0/3/1572830/) and allows the 'filedel.cgi'
script to be run. It then tries to lookup the details from nscd, but it
only passes "sword" instead of "[EMAIL PROTECTED]", but because we
have a second user with uid of 'sword' this uid and gid is returned and
then passed onto suexec ("~869640", "105")...so for some reason apache2
isn't passing the realm onto libnss-ldap??

Can anyone please confirm that I am not doing something stupid, and if
there really is an issue then I will lodge a bug report.

Adam.

-----Original Message-----
From: Adam Hewitt 
Sent: Wednesday, 30 November 2005 2:03 PM
To: users@httpd.apache.org
Subject: [EMAIL PROTECTED] suexec + mod_ldap_user + multiple realms

Hi All,

I have a setup where I have roughly 14 different realms (aquired ISP's)
and users in each realm are listed in LDAP using [EMAIL PROTECTED]
straight forward.

I have configured apache2 with mod_ldap_userdir such that if
[EMAIL PROTECTED] accesses http://homepages.domain1.com/~bill that the
mod_ldap_userdir config appends the realm to the username when it is
being looked up ([EMAIL PROTECTED])...all of this works perfectly and is
fairly straight forward.

The problem I am having is that apache2 is passing suexec the username
and suexec is passing the username onto libnss-ldap to be looked up,
*but* this is failing as it doesn't include the realm with the username.
Is there anyway to get around this? Somehow append the realm onto the
username when its passed to suexec? Or how are other people getting
around this issue?

Cheers,

Adam.

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server
Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: [EMAIL PROTECTED]
   "   from the digest: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]




---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: [EMAIL PROTECTED]
   "   from the digest: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

RE: [users@httpd] suexec + mod_ldap_user + multiple realms

Reply via email to