[TriLUG] Apache question: su_exec and group permissions
Jeremy Portzer
jeremyp at pobox.com
Fri May 30 14:45:37 EDT 2003
On Fri, 2003-05-30 at 14:41, Michael Donaghy wrote:
> On Fri, 2003-05-30 at 13:36, Jeremy Portzer wrote:
> > Hello,
> >
> > I like to use Apache's su_exec feature to allow folks CGI access with as
> > much security as possible. (Yes, CGI access at all is a security
> > problem of some degree, I understand that.) However, su_exec always
> > fails when the CGI directory has group write permissions. Changing the
> > permissions to 755 for the directories and CGI files fixes this, but I
> > need the permissions to be 775.
> >
> > Is there any way to configure su_exec to allow group write permissions?
> > --Jeremy
>
> Jeremy,
>
> It has been a while since I've coded in C, but I'd hazard a guess that
> around line 552 of support/suexec.c in the 2.0.46 distribution is what
> you're looking for. I don't exactly see anything to pass to "configure"
> though.
>
>
> /*
> * Error out if cwd is writable by others.
> */
> if ((dir_info.st_mode & S_IWOTH) || (dir_info.st_mode & S_IWGRP)) {
> log_err("directory is writable by others: (%s)\n", cwd);
> exit(116);
> }
>
Thanks. I was hoping I wouldn't have to go code-hacking, but hey, this
is the benefit of open source.
I guess I'd want to change the if statement to this:
if (dir_info.st_mode & S_IWOTH) {
That would make the error message correct too...heh.
--Jeremy
--
/=====================================================================\
| Jeremy Portzer jeremyp at pobox.com trilug.org/~jeremy |
| GPG Fingerprint: 712D 77C7 AB2D 2130 989F E135 6F9F F7BC CC1A 7B92 |
\=====================================================================/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
URL: <http://www.trilug.org/pipermail/trilug/attachments/20030530/9cae0059/attachment.pgp>
More information about the TriLUG
mailing list