[ILUG] suexec/setgid32 error

[Brian Foster]

  | Date: Mon, 23 Aug 2004 10:00:23 +0100
  | From: "John P. Looney" <valen at tuatha.org>
  | 
  |  I really hate suexec. It's one of those examples of secure programming
  | gone wrong; where it's secure, because people can't usually use it.
  | 
  |  Anyway, I've a perl CGI script I'm trying to run suexec. However, I can't
  | work out why it's failing. When I strace the httpd process, I see:
  | 
  | [pid 11702] write(3, "[2004-08-23 09:54:03]: uid: (500/wwwuser) gid: (500/500) cmd: awstats.pl\n", 76) = 76
  | [pid 11702] setgid32(500)               = -1 EPERM (Operation not permitted)

 from setgid(2):

   “ERRORS
       EPERM  The user is not the super-user [ ... ], and
              gid does not match the effective group ID or
              saved set-group-ID of the calling process.”

 I presume, therefore, that the process doing the setgid(2)
 call does not have a EUID of 0 (superuser); and(/or?) it did
 not previously have an EGID of <gid> (500, in this case).

 I do not recall if there is an strace(1) option to show the
 Effective UID/GID before/after each system call (or when it
 changes?), but if there is, use it.

 please note /etc/group is not relevant.  why should it be?

cheers!
	-blf-

  | [pid 11702] time([1093251243])          = 1093251243
  | [pid 11702] write(3, "[2004-08-23 09:54:03]: failed to setgid (500: awstats.pl)\n", 58) = 58
  | 
  |  any ideas how I debug this ? I've put:
  | 
  | wwwuser:x:500:apache
  | 
  |  in /etc/group. I've run "chmod g+s awstats.pl". I can't see anything
  | wrong, it's just...not working.
  | 
  | John
-- 
«How many surrealists does it take to    |  Brian Foster      Montpellier,
 change a lightbulb?  Three.  One calms  |  blf at utvinternet.ie      FRANCE
 the warthog, and two fill the bathtub   |    Stop E$$o (ExxonMobile)!
 with brightly-colored machine tools.»   |        http://www.stopesso.com