Bug#227653: marked as done (suexec is on by default, breaks user cgi scripts if UserDir has changed)
Your message dated Tue, 28 Sep 2004 13:32:06 -0400
with message-id <E1CCLpe-0007xt-00@newraff.debian.org>
and subject line Bug#227653: fixed in apache2 2.0.52-1
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--------------------------------------
Received: (at submit) by bugs.debian.org; 14 Jan 2004 05:26:55 +0000
>From joey@kitenet.net Tue Jan 13 23:26:55 2004
Return-path: <joey@kitenet.net>
Received: from kitenet.net [64.62.161.42]
by master.debian.org with esmtp (Exim 3.35 1 (Debian))
id 1AgdYN-0007TE-00; Tue, 13 Jan 2004 23:26:55 -0600
Received: from dragon.kitenet.net (pm3naxs13-142.access.naxs.com [216.98.93.142])
(using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
(Client CN "Joey Hess", Issuer "Joey Hess" (verified OK))
by kitenet.net (Postfix) with ESMTP id 961B018050
for <submit@bugs.debian.org>; Wed, 14 Jan 2004 05:26:51 +0000 (GMT)
Received: by dragon.kitenet.net (Postfix, from userid 1000)
id 9CAD06E2D0; Wed, 14 Jan 2004 00:34:07 -0500 (EST)
Date: Wed, 14 Jan 2004 00:34:06 -0500
From: Joey Hess <joeyh@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: suexec is on by default, breaks user cgi scripts if UserDir has changed
Message-ID: <20040114053406.GA3912@kitenet.net>
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha1;
protocol="application/pgp-signature"; boundary="PEIAKu/WMn1b1Hv9"
Content-Disposition: inline
X-Die-Cursed-Spawn-Of-Satan-Die-Die-Die: suexec
X-Reportbug-Version: 2.37
User-Agent: Mutt/1.5.4i
Delivered-To: submit@bugs.debian.org
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2004_01_13
(1.212-2003-09-23-exp) on master.debian.org
X-Spam-Status: No, hits=-5.0 required=4.0 tests=HAS_PACKAGE autolearn=no
version=2.60-bugs.debian.org_2004_01_13
X-Spam-Level:
--PEIAKu/WMn1b1Hv9
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
Package: apache2-common
Version: 2.0.48-4
Severity: normal
Read this strace and weep:
stat64("/home/joey/html/blog/index.cgi", {st_mode=3DS_IFREG|0755, st_size=
=3D1538, ...}) =3D 0
=2E.
fork(Process 3822 attached
=2E.
[pid 3822] execve("/usr/lib/apache2/suexec2", ["/usr/lib/apache2/suexec2",=
"~1000", "1000", "index.cgi"], [/* 22 vars*/]) =3D 0
=2E.
[pid 3822] getcwd("/home/joey/html/blog", 4096) =3D 21
[pid 3822] chdir("/home/joey") =3D 0
[pid 3822] chdir("public_html") =3D -1 ENOENT (No such file or dire=
ctory)
[pid 3822] time([1074057876]) =3D 1074057876
[pid 3822] write(3, "[2004-01-14 00:24:36]: cannot ge"..., 67) =3D 67
Note that I have my web server configured as follows:
root@dragon:/etc/apache2>grep UserDir -r .
=2E/mods-enabled/userdir.conf: UserDir html
=2E/mods-available/userdir.conf: UserDir html
=2E/apache2.conf:UserDir html
root@dragon:/etc/apache2>grep -i suexec -r .
=2E/mods-available/suexec.load:LoadModule suexec_module /usr/lib/apache2/mo=
dules/mod_suexec.so
root@dragon:/etc/apache2>ls mods-enabled/suexec*
zsh: no matches found: mods-enabled/suexec*
Why is suexec loaded even though it is not linked to mods-enabled?
Why does suexec ignore my UserDir setting and try to use a non-existant
"public_html" directory?
The workaround, as with every suexec problem I have ever filed a bug
on (and there have been many):
root@dragon:/usr/lib/apache2>dpkg-divert --add `pwd`/suexec2 --rename
-- System Information:
Debian Release: testing/unstable
Architecture: i386
Kernel: Linux dragon 2.4.24 #1 Thu Jan 8 15:48:32 EST 2004 i686
Locale: LANG=3Den_US, LC_CTYPE=3Den_US
Versions of packages apache2-common depends on:
ii debconf 1.4.3 Debian configuration managemen=
t sy
ii debianutils 2.6.1 Miscellaneous utilities specif=
ic t
ii libapr0 2.0.48-4 The Apache Portable Runtime
ii libc6 2.3.2.ds1-10 GNU C Library: Shared librarie=
s an
ii libdb4.1 4.1.25-10 Berkeley v4.1 Database Librari=
es [
ii libexpat1 1.95.6-6 XML parsing C library - runtim=
e li
ii libldap2 2.1.23-1 OpenLDAP libraries
ii libssl0.9.7 0.9.7c-5 SSL shared libraries
ii mime-support 3.23-1 MIME files 'mime.types' & 'mai=
lcap
ii net-tools 1.60-8 The NET-3 networking toolkit
ii openssl 0.9.7c-5 Secure Socket Layer (SSL) bina=
ry a
ii ssl-cert 1.0-6 Simple debconf wrapper for ope=
nssl
ii zlib1g 1:1.2.1-3 compression library - runtime
-- no debconf information
--=20
see shy jo
--PEIAKu/WMn1b1Hv9
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)
iD8DBQFABNTOd8HHehbQuO8RAtnPAJ9fTdQ33jxuDn5P6KDY3bac4NE9hQCgqxv1
S/ZOS8swcBSzKxYOLgKWbCI=
=Hw2r
-----END PGP SIGNATURE-----
--PEIAKu/WMn1b1Hv9--
---------------------------------------
Received: (at 227653-close) by bugs.debian.org; 28 Sep 2004 17:38:27 +0000
>From katie@ftp-master.debian.org Tue Sep 28 10:38:27 2004
Return-path: <katie@ftp-master.debian.org>
Received: from newraff.debian.org [208.185.25.31] (mail)
by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
id 1CCLvn-0005Jd-00; Tue, 28 Sep 2004 10:38:27 -0700
Received: from katie by newraff.debian.org with local (Exim 3.35 1 (Debian))
id 1CCLpe-0007xt-00; Tue, 28 Sep 2004 13:32:06 -0400
From: Adam Conrad <adconrad@0c3.net>
To: 227653-close@bugs.debian.org
X-Katie: $Revision: 1.51 $
Subject: Bug#227653: fixed in apache2 2.0.52-1
Message-Id: <E1CCLpe-0007xt-00@newraff.debian.org>
Sender: Archive Administrator <katie@ftp-master.debian.org>
Date: Tue, 28 Sep 2004 13:32:06 -0400
Delivered-To: 227653-close@bugs.debian.org
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2004_03_25
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-6.0 required=4.0 tests=BAYES_00,HAS_BUG_NUMBER
autolearn=no version=2.60-bugs.debian.org_2004_03_25
X-Spam-Level:
Source: apache2
Source-Version: 2.0.52-1
We believe that the bug you reported is fixed in the latest version of
apache2, which is due to be installed in the Debian FTP archive:
apache2-common_2.0.52-1_powerpc.deb
to pool/main/a/apache2/apache2-common_2.0.52-1_powerpc.deb
apache2-doc_2.0.52-1_all.deb
to pool/main/a/apache2/apache2-doc_2.0.52-1_all.deb
apache2-mpm-perchild_2.0.52-1_powerpc.deb
to pool/main/a/apache2/apache2-mpm-perchild_2.0.52-1_powerpc.deb
apache2-mpm-prefork_2.0.52-1_powerpc.deb
to pool/main/a/apache2/apache2-mpm-prefork_2.0.52-1_powerpc.deb
apache2-mpm-threadpool_2.0.52-1_powerpc.deb
to pool/main/a/apache2/apache2-mpm-threadpool_2.0.52-1_powerpc.deb
apache2-mpm-worker_2.0.52-1_powerpc.deb
to pool/main/a/apache2/apache2-mpm-worker_2.0.52-1_powerpc.deb
apache2-prefork-dev_2.0.52-1_all.deb
to pool/main/a/apache2/apache2-prefork-dev_2.0.52-1_all.deb
apache2-threaded-dev_2.0.52-1_all.deb
to pool/main/a/apache2/apache2-threaded-dev_2.0.52-1_all.deb
apache2_2.0.52-1.diff.gz
to pool/main/a/apache2/apache2_2.0.52-1.diff.gz
apache2_2.0.52-1.dsc
to pool/main/a/apache2/apache2_2.0.52-1.dsc
apache2_2.0.52-1_powerpc.deb
to pool/main/a/apache2/apache2_2.0.52-1_powerpc.deb
apache2_2.0.52.orig.tar.gz
to pool/main/a/apache2/apache2_2.0.52.orig.tar.gz
libapr0-dev_2.0.52-1_powerpc.deb
to pool/main/a/apache2/libapr0-dev_2.0.52-1_powerpc.deb
libapr0_2.0.52-1_powerpc.deb
to pool/main/a/apache2/libapr0_2.0.52-1_powerpc.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 227653@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Adam Conrad <adconrad@0c3.net> (supplier of updated apache2 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Tue, 28 Sep 2004 10:21:20 -0600
Source: apache2
Binary: apache2 apache2-prefork-dev apache2-mpm-prefork apache2-doc libapr0-dev apache2-mpm-threadpool apache2-mpm-worker libapr0 apache2-threaded-dev apache2-common apache2-mpm-perchild
Architecture: source all powerpc
Version: 2.0.52-1
Distribution: unstable
Urgency: high
Maintainer: Debian Apache Maintainers <debian-apache@lists.debian.org>
Changed-By: Adam Conrad <adconrad@0c3.net>
Description:
apache2 - Next generation, scalable, extendable web server
apache2-common - Next generation, scalable, extendable web server
apache2-doc - Documentation for apache2
apache2-mpm-perchild - Experimental High speed perchild threaded model for Apache2
apache2-mpm-prefork - Traditional model for Apache2
apache2-mpm-threadpool - Experimental High speed thread pool model for Apache2
apache2-mpm-worker - High speed threaded model for Apache2
apache2-prefork-dev - Development headers for apache2
apache2-threaded-dev - Development headers for apache2
libapr0 - The Apache Portable Runtime
libapr0-dev - Development headers for libapr
Closes: 227653 239571 261820 272531 272865 273017 273019 273021 273258 273412
Changes:
apache2 (2.0.52-1) unstable; urgency=high
.
* New upstream bugfix/security release:
- Fixes CAN-2004-0811: Satisfy directive bypass (closes: #273412)
* Add '|| true' to a2enmod to stop it from dying when the installed MPM
isn't prefork (closes: #273017, #273019, #272865, #273021, #273258)
* Touch /var/log/apache2/error.log on new installs to ensure that our log
directory isn't removed until the package is purged, so logrotate doesn't
complain about its inability to find it (closes: #239571)
* Add 032_suexec_is_shared, which makes sure suEXEC is only searched for
and enabled when mod_suexec is loaded (closes: #227653)
* Use '$APACHE2CTL startssl' consistently in init script to make sure the
SSL define doesn't disappear on force-reload (closes: #272531)
* Add 033_dbm_read_hash_or_btree to allow apr-util and dbmmanage to open
and manipulate DB_BTREE databases, while still defaulting to creating
DB_HASH databases as before. This should clear up incompatibilities
with other applications (such as PHP) which default to DB_BTREE.
* Moved dbmmanage2 to /usr/bin, instead of /usr/sbin, as it's a user tool.
* Added 034_ab2_has_openssl, thanks to 2.1-cvs, Fedora, thom, and a bit
of munging, to compile a working ab2 with SSL support (closes: #261820)
Files:
c01ef2dbeb3dd4fee724d7ad094c7acb 1131 net optional apache2_2.0.52-1.dsc
4c0578a0fa70f06763ead1a421e0354a 6909589 net optional apache2_2.0.52.orig.tar.gz
0e33880dd06323e29fabc02d9d2cb8e1 99181 net optional apache2_2.0.52-1.diff.gz
a72ad8540188f0a71de78625dea5af1c 3524902 doc optional apache2-doc_2.0.52-1_all.deb
d6acc839952ee48ef8839043882b26e6 164418 devel optional apache2-prefork-dev_2.0.52-1_all.deb
953a3612cb2bd62ff9333e8c609de064 165186 devel optional apache2-threaded-dev_2.0.52-1_all.deb
72f8806e55fbe04e83ae0018975e5575 912880 net optional apache2-common_2.0.52-1_powerpc.deb
644639e7928265be6a040ccc64d4983a 222966 net optional apache2-mpm-worker_2.0.52-1_powerpc.deb
4adf0dfc0ddc2bb117090c8aff6aa7d8 31204 net optional apache2-mpm-threadpool_2.0.52-1_powerpc.deb
baad0f25dca23ce127142f11ca8a7d05 224172 net optional apache2-mpm-perchild_2.0.52-1_powerpc.deb
fdf425383b01b1737b768f2cec7c90cf 218978 net optional apache2-mpm-prefork_2.0.52-1_powerpc.deb
2e81057cf93efc6701b8c0b79fb48749 131396 net optional libapr0_2.0.52-1_powerpc.deb
0afbc63ced9ece79431284a3f3782d77 268958 libdevel optional libapr0-dev_2.0.52-1_powerpc.deb
ba8cec0bb989350ce6859ced26561285 30472 web optional apache2_2.0.52-1_powerpc.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)
iD8DBQFBWZ51vjztR8bOoMkRAu7JAJ92J5Si3OM48YYd42vFBhbjGLCoJgCgsCes
2kuWT1CsDSrjdSchJbwb93E=
=CEd/
-----END PGP SIGNATURE-----
Reply to: