OpenBSD Journal

Apache with suexec

Contributed by jose on from the help! dept.

Wouter writes: "Hi visitors,

I've been trying to get suexec running for a few hours now: searched google and mailling lists, chatted with a few people, but I can't find the solution.

I enabled suexec by doing this:

# chmod u+s /usr/sbin/suexec
As far as I know I've configured the VirtualHost ok, but when I try to run a CGI script with suexec, I get this error:
(9)Bad file descriptor: getpwuid: invalid userid 1010
When I unchroot apache, everything works fine, but I just can't find out what I need to have into the chroot. I am running OpenBSD 3.3 -stable and I could really use some help."
Sounds like a lack of a complete chroot environment and a missing password database. Is there anything else missing or that should be stated?

(Comments are closed)

  1. By Anonymous Coward () on

    AFAIK under chroot mode you wont be able to access other resourse outside your chroot folder.. i mean your /var/www/htdocs
    sin the suexec executable is /usr/sbin... apache won't be able to access it..

  2. By Anonymous Coward () on

    sounds like you dont have a /var/www/etc/passwd

  3. By Wouter () on

    I already tried to copy my whole /etc into the chroot, but it doesn't have any affect.

    It looks like suexec is accessed outside the chroot anyway.

  4. By Anonymous Coward () on

    Suexec looks like an interesting way to keep users from reading eachothers files on a multi-user webserver.
    But what are the security implications of it? Having a SUID executable inside the chroot is a risk, right? Or has suexec been thoroughly audited, that it isn't that much of a risk?
    Could maybe someone shed some light on this?

    1. By Anonymous Coward () on

      suexec is a quite small program and therefor not that hard to audit. moreover i guess it has been audited quite well by apache developers as well as openbsd developers since it seems to be included in openbsd.

  5. By dptth () on

    Just run httpd with -u option, so it reaches suexec and user home files
    /var is mounted nosuid by default, so suid programs will not work as expected here

    1. By Wouter () on

      No, I intend to keep the chroot.. and if you read my earlier post you already knew Apache calls suexec outside of the chroot (how else can I see that suexec get loaded and *tries* to do something while suexec isn't in the chroot?).

      1. By dptth () on

        Hello /var is mounted nosuid so suexec will not su inside it even via chroot

        1. By Anonymous Coward () on

          /var mounted nosuid
          Not by definition. Depends on setup.

          1. By dptth () on

            By default, when you install 3.3 it installs chrooting apache and nosuid,nodev /var /home /tmp and nodev /usr

            1. By Anonymous Coward () on

              i very much doubt that counts as default setup. Can you tell me how big /var is by default?

              1. By dptth () on

                Just try

  6. By Wouter () on

    Things changed, copying some /etc files into the chroot did nearly solve it.

    Now I get this error:

    [2003-06-19 18:55:14]: emerg: cannot get docroot information (/var/www/htdocs)

    DocumentRoot of the site is /var/www/htdocs/ So I really don't know what's the problem now...

    1. By jose () on

      try stripping the leading /var/www from the path, since the server chroots to that its actually just /htdocs ... just a thought.

      1. By Wouter () on

        Yes I have in my off course /htdocs/... but I gave to full path so its easier to understand ;)

    2. By Anonymous Coward () on

      try making /var/www/var/www a symlink for /

      1. By Anonymous Coward () on

        i tend to like doing
        /var/www/var -> .
        /var/www/www -> .

  7. By Anonymous Coward () on

    var is mounted nosuid by default in 3.3...

  8. By chris humphries () on

    it is trying to read /etc/group and doesnt have access.

  9. By Piotr Kapczuk () on

    I've read comments and saw many people noticed MTU with IPsec problem.
    Here's my hint.

    I didn't want to touch MTU on physical interfaces, because sometimes it
    can cause problems. I found 'scrub max-mss' feature in PF very helpful.
    Thanks to these lines I don't have to worry about MTU anymore. TCP/IP
    negotiation takes care about this, and bigger packets will newer show

    scrub in on enc0 all max-mss 1300
    scrub out on enc0 all max-mss 1300

    1. By Piotr Kapczuk () on

      Ups. Sorry, my mistake. I've posted under wrong thread. Webmaster please cancel these two messages if you can.

Latest Articles


Copyright © - Daniel Hartmeier. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to as well as images and HTML templates were copied from the fabulous original with Jose's and Jim's kind permission. This journal runs as CGI with httpd(8) on OpenBSD, the source code is BSD licensed. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]