Apache with suexec

Contributed by jose on 2003-06-18 from the help! dept.

Wouter writes: "Hi deadly.org visitors,
I've been trying to get suexec running for a few hours now: searched google and mailling lists, chatted with a few people, but I can't find the solution.
I enabled suexec by doing this:
# chmod u+s /usr/sbin/suexec
As far as I know I've configured the VirtualHost ok, but when I try to run a CGI script with suexec, I get this error:
(9)Bad file descriptor: getpwuid: invalid userid 1010
When I unchroot apache, everything works fine, but I just can't find out what I need to have into the chroot. I am running OpenBSD 3.3 -stable and I could really use some help." Sounds like a lack of a complete chroot environment and a missing password database. Is there anything else missing or that should be stated?

(Comments are closed)

Comments

By Anonymous Coward () on 2003-06-19 06:53

AFAIK under chroot mode you wont be able to access other resourse outside your chroot folder.. i mean your /var/www/htdocs
sin the suexec executable is /usr/sbin... apache won't be able to access it..
By Anonymous Coward () on 2003-06-19 09:39

sounds like you dont have a /var/www/etc/passwd
file..
By Wouter () on 2003-06-19 09:41

I already tried to copy my whole /etc into the chroot, but it doesn't have any affect.

It looks like suexec is accessed outside the chroot anyway.
By Anonymous Coward () on 2003-06-19 11:27

Suexec looks like an interesting way to keep users from reading eachothers files on a multi-user webserver.
But what are the security implications of it? Having a SUID executable inside the chroot is a risk, right? Or has suexec been thoroughly audited, that it isn't that much of a risk?
Could maybe someone shed some light on this?
Comments
1. By Anonymous Coward () on 2003-06-21 09:16
  
  suexec is a quite small program and therefor not that hard to audit. moreover i guess it has been audited quite well by apache developers as well as openbsd developers since it seems to be included in openbsd.
By dptth () on 2003-06-19 12:06

Just run httpd with -u option, so it reaches suexec and user home files
/var is mounted nosuid by default, so suid programs will not work as expected here
Comments
1. By Wouter () on 2003-06-19 12:28
  
  No, I intend to keep the chroot.. and if you read my earlier post you already knew Apache calls suexec outside of the chroot (how else can I see that suexec get loaded and *tries* to do something while suexec isn't in the chroot?).
  Comments
  1. By dptth () on 2003-06-19 16:20
    
    Hello /var is mounted nosuid so suexec will not su inside it even via chroot
    
    Comments
    
    By Anonymous Coward () on 2003-06-19 16:56
    
    /var mounted nosuid
    ?
    Not by definition. Depends on setup.
    
    Comments
    
    By dptth () on 2003-06-19 18:25
    
    By default, when you install 3.3 it installs chrooting apache and nosuid,nodev /var /home /tmp and nodev /usr
    
    Comments
    
    By Anonymous Coward () on 2003-06-20 12:31
    
    i very much doubt that counts as default setup. Can you tell me how big /var is by default?
    
    Comments
    
    By dptth () on 2003-06-21 06:28
    
    Just try
By Wouter () on 2003-06-19 14:05

Things changed, copying some /etc files into the chroot did nearly solve it.

Now I get this error:

[2003-06-19 18:55:14]: emerg: cannot get docroot information (/var/www/htdocs)

DocumentRoot of the site is /var/www/htdocs/domain.com/ So I really don't know what's the problem now...
Comments
1. By jose () on 2003-06-19 14:35 http://monkey.org/~jose/
  
  try stripping the leading /var/www from the path, since the server chroots to that its actually just /htdocs ... just a thought.
  Comments
  1. By Wouter () on 2003-06-19 14:58
    
    Yes I have in my off course /htdocs/... but I gave to full path so its easier to understand ;)
2. By Anonymous Coward () on 2003-06-19 20:11
  
  try making /var/www/var/www a symlink for /
  Comments
  1. By Anonymous Coward () on 2003-06-20 09:38
    
    i tend to like doing
    /var/www/var -> .
    /var/www/www -> .
    ^_^
By Anonymous Coward () on 2003-06-20 00:41

var is mounted nosuid by default in 3.3...
By chris humphries () on 2003-06-23 11:58 unixfu.net

it is trying to read /etc/group and doesnt have access.
By Piotr Kapczuk () on 2003-06-30 07:39

I've read comments and saw many people noticed MTU with IPsec problem.
Here's my hint.

I didn't want to touch MTU on physical interfaces, because sometimes it
can cause problems. I found 'scrub max-mss' feature in PF very helpful.
Thanks to these lines I don't have to worry about MTU anymore. TCP/IP
negotiation takes care about this, and bigger packets will newer show
up.

scrub in on enc0 all max-mss 1300
scrub out on enc0 all max-mss 1300
Comments
1. By Piotr Kapczuk () on 2003-06-30 07:49
  
  Ups. Sorry, my mistake. I've posted under wrong thread. Webmaster please cancel these two messages if you can.

Latest Articles

Thu, Apr 18
- 05:05 Coming soon to a -current system near you: parallel raw IP input (0)
Wed, Apr 17
- 05:33 In -current, default write format for tar(1) changed to "pax" (10)
Wed, Apr 10
- 18:50 OpenSMTPD 7.5.0p0 Released (2)
Tue, Apr 09
- 04:49 20 years since "and we're just starting": undeadly.org turns 20 (2024-04-09) (13)
Fri, Apr 05
- 06:16 OpenBSD 7.5 released (3)
Thu, Mar 28
- 18:18 LibreSSL 3.8.4 and 3.9.1 released (0)
Tue, Mar 12
- 06:53 OpenSSH 9.7/9.7p1 released! (0)
Mon, Mar 11
- 11:28 Game of Trees 0.97 released (0)
Sun, Mar 10
- 09:06 LibreSSL versions 3.8.3 and 3.9.0 released (0)

Credits

Copyright © 2004-2008 Daniel Hartmeier. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to April 2nd 2004 as well as images and HTML templates were copied from the fabulous original deadly.org with Jose's and Jim's kind permission. This journal runs as CGI with httpd(8) on OpenBSD, the source code is BSD licensed. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]