[TriLUG] Apache question: su_exec and group permissions

Jeremy Portzer jeremyp at pobox.com
Fri May 30 14:45:37 EDT 2003


On Fri, 2003-05-30 at 14:41, Michael Donaghy wrote:
> On Fri, 2003-05-30 at 13:36, Jeremy Portzer wrote:
> > Hello,
> > 
> > I like to use Apache's su_exec feature to allow folks CGI access with as
> > much security as possible.  (Yes, CGI access at all is a security
> > problem of some degree, I understand that.)  However, su_exec always
> > fails when the CGI directory has group write permissions.  Changing the
> > permissions to 755 for the directories and CGI files fixes this, but I
> > need the permissions to be 775.
> > 
> > Is there any way to configure su_exec to allow group write permissions? 
> > --Jeremy
> 
> Jeremy,
> 
> It has been a while since I've coded in C, but I'd hazard a guess that
> around line 552 of support/suexec.c in the 2.0.46 distribution is what
> you're looking for.  I don't exactly see anything to pass to "configure"
> though.
> 
> 
>     /*
>      * Error out if cwd is writable by others.
>      */
>     if ((dir_info.st_mode & S_IWOTH) || (dir_info.st_mode & S_IWGRP)) {
>         log_err("directory is writable by others: (%s)\n", cwd);
>         exit(116);
>     }
> 

Thanks.  I was hoping I wouldn't have to go code-hacking, but hey, this
is the benefit of open source.

I guess I'd want to change the if statement to this:
	if (dir_info.st_mode & S_IWOTH) {

That would make the error message correct too...heh.

--Jeremy

-- 
/=====================================================================\
| Jeremy Portzer       jeremyp at pobox.com       trilug.org/~jeremy     |
| GPG Fingerprint: 712D 77C7 AB2D 2130 989F  E135 6F9F F7BC CC1A 7B92 |
\=====================================================================/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
URL: <http://www.trilug.org/pipermail/trilug/attachments/20030530/9cae0059/attachment.pgp>


More information about the TriLUG mailing list