Bug#299191: apache2-common: suexec sets incorrect gid and groups

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#299191: apache2-common: suexec sets incorrect gid and groups
From: Charles Stevenson <core@bokeoa.com>
Date: Sat, 12 Mar 2005 05:17:52 -0800
Message-id: <[🔎] 20050312131753.5A743116FA@iceqube>
Reply-to: Charles Stevenson <core@bokeoa.com>, 299191@bugs.debian.org

Package: apache2-common
Version: 2.0.53-5
Severity: grave
Justification: user security hole


I'm fairly certain this is specific to the MIPS port.  I looked at the
source and did some tests and am a bit perplexed.  I thought it was a
signedness issue, integer overflow I think they call it.  In any case
here's the rundown.  Apache is running as nobody/nogroup (65534/65534).
I was having some luser errors with a CGI script so I dropped a simple
command execution script in /usr/lib/cgi-bin/ to see if CGI worked in
general which it does. In any case I ran /usr/bin/id and noticed my gid
was wrong as well as my groups. I created a file just to ensure the
problem wasn't within id and did an ls on the file. It seems that it's a
problem with suexec itself. My box is slow as can be and I've just about
given up trying to build it from source and see for myself but I imagine
that perhaps this is built with a cross-compiler.  And that somehow the
signedness is incured in this fashion.  I did test getgrnam and it
returns correct information. Here's some output from my lil' script:

$ id
uid=65534(nobody) gid=1(daemon) groups=4294967295
$ touch /tmp/nobody_was_here
$ ls -l /tmp/nobody_was_here
-rw-r--r--  1 nobody 4294967295 0 Mar 12 05:11 /tmp/nobody_was_here

Anyways this can in theory lead to some strange privelege elevation
given the gid of daemon. I chose grave since it seemed fitting although
in truth it's probably not a huge issue? There were no error logged.
Anyways if I can fix strace to work or get this to compile I might be
able to send a patch or more useful info. For now it's still running
configure... ;)

peace,
core

-- System Information:
Debian Release: 3.1
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: mipsel (mips)
Kernel: Linux 2.4.27-r5k-cobalt
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)

Versions of packages apache2-common depends on:
ii  apache2-utils               2.0.53-5     utility programs for webservers
ii  debconf                     1.4.30.11    Debian configuration management sy
ii  debianutils                 2.8.4        Miscellaneous utilities specific t
ii  libc6                       2.3.2.ds1-20 GNU C Library: Shared libraries an
ii  libdb4.2                    4.2.52-18    Berkeley v4.2 Database Libraries [
ii  libexpat1                   1.95.8-1     XML parsing C library - runtime li
ii  libgcc1                     1:3.4.3-6    GCC support library
ii  libmagic1                   4.12-1       File type determination library us
ii  mime-support                3.28-1       MIME files 'mime.types' & 'mailcap
ii  net-tools                   1.60-10      The NET-3 networking toolkit
ii  openssl                     0.9.7e-2     Secure Socket Layer (SSL) binary a
ii  ssl-cert                    1.0-11       Simple debconf wrapper for openssl

-- no debconf information

Reply to:

Follow-Ups:
- Bug#299191: marked as done (apache2-common: suexec sets incorrect gid and groups)
  - From: owner@bugs.debian.org (Debian Bug Tracking System)

Prev by Date: Bug#299142: [PATCH] man page and docs for htdbm
Next by Date: Bug#299191: Not suexec
Previous by thread: Bug#299142: [PATCH] man page and docs for htdbm
Next by thread: Bug#299191: marked as done (apache2-common: suexec sets incorrect gid and groups)
Index(es):
- Date
- Thread