[TriLUG] Apache question: su_exec and group permissions

Michael Donaghy michael at donaghy.org
Fri May 30 14:41:40 EDT 2003


On Fri, 2003-05-30 at 13:36, Jeremy Portzer wrote:
> Hello,
> 
> I like to use Apache's su_exec feature to allow folks CGI access with as
> much security as possible.  (Yes, CGI access at all is a security
> problem of some degree, I understand that.)  However, su_exec always
> fails when the CGI directory has group write permissions.  Changing the
> permissions to 755 for the directories and CGI files fixes this, but I
> need the permissions to be 775.
> 
> Is there any way to configure su_exec to allow group write permissions? 
> --Jeremy

Jeremy,

It has been a while since I've coded in C, but I'd hazard a guess that
around line 552 of support/suexec.c in the 2.0.46 distribution is what
you're looking for.  I don't exactly see anything to pass to "configure"
though.


    /*
     * Error out if cwd is writable by others.
     */
    if ((dir_info.st_mode & S_IWOTH) || (dir_info.st_mode & S_IWGRP)) {
        log_err("directory is writable by others: (%s)\n", cwd);
        exit(116);
    }


Michael
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
URL: <http://www.trilug.org/pipermail/trilug/attachments/20030530/d5a29140/attachment.pgp>


More information about the TriLUG mailing list