| Date: Mon, 23 Aug 2004 10:00:23 +0100
| From: "John P. Looney" <valen at tuatha.org>
| I really hate suexec. It's one of those examples of secure programming
| gone wrong; where it's secure, because people can't usually use it.
| Anyway, I've a perl CGI script I'm trying to run suexec. However, I can't
| work out why it's failing. When I strace the httpd process, I see:
| [pid 11702] write(3, "[2004-08-23 09:54:03]: uid: (500/wwwuser) gid: (500/500) cmd: awstats.pl\n", 76) = 76
| [pid 11702] setgid32(500) = -1 EPERM (Operation not permitted)
EPERM The user is not the super-user [ ... ], and
gid does not match the effective group ID or
saved set-group-ID of the calling process.”
I presume, therefore, that the process doing the setgid(2)
call does not have a EUID of 0 (superuser); and(/or?) it did
not previously have an EGID of <gid> (500, in this case).
I do not recall if there is an strace(1) option to show the
Effective UID/GID before/after each system call (or when it
changes?), but if there is, use it.
please note /etc/group is not relevant. why should it be?
| [pid 11702] time() = 1093251243
| [pid 11702] write(3, "[2004-08-23 09:54:03]: failed to setgid (500: awstats.pl)\n", 58) = 58
| any ideas how I debug this ? I've put:
| in /etc/group. I've run "chmod g+s awstats.pl". I can't see anything
| wrong, it's just...not working.
«How many surrealists does it take to | Brian Foster Montpellier,
change a lightbulb? Three. One calms | blf at utvinternet.ie FRANCE
the warthog, and two fill the bathtub | Stop E$$o (ExxonMobile)!
with brightly-colored machine tools.» | http://www.stopesso.com
Maintained by the ILUG website team. The aim of Linux.ie is to
support and help commercial and private users of Linux in Ireland. You can
display ILUG news in your own webpages, read backend
information to find out how. Networking services kindly provided by HEAnet, server kindly donated by
Dell. Linux is a trademark of Linus Torvalds,
used with permission. No penguins were harmed in the production or maintenance
of this highly praised website. Looking for the
Indian Linux Users' Group? Try here. If you've read all this and aren't a lawyer: you should be!