[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#385656: apache: mod_cgi does not play well with Posix ACLs

Package: apache
Version: 1.3.34-4+aclfix
Severity: normal

Apache's mod_cgi will not execute cgi scripts that
have an ACL entry allowing www-data to execute them 
unless they also have standard Unix permissions 
allowing execution. Thus defeating the purpose of using
the ACL in the first place.

I have attached a patch that seems to work for me.

-- System Information:
Debian Release: 3.1
  APT prefers testing
  APT policy: (500, 'testing'), (500, 'stable')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.15-1-686
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)

Versions of packages apache depends on:
ii  apache-common            1.3.34-4+aclfix support files for all Apache webse
ii  debconf [debconf-2.0]       Debian configuration management sy
ii  libc6                    2.3.6-7         GNU C Library: Shared libraries
ii  libdb4.4                 4.4.20-3        Berkeley v4.4 Database Libraries [
ii  libexpat1                1.95.8-3.2      XML parsing C library - runtime li
ii  libmagic1                4.12-1          File type determination library us
ii  logrotate                3.7-2           Log rotation utility
ii  lsb-base                 3.0-16          Linux Standard Base 3.0 init scrip
ii  mime-support             3.28-1          MIME files 'mime.types' & 'mailcap
ii  perl                     5.8.8-6.1       Larry Wall's Practical Extraction 

apache recommends no packages.

-- debconf information excluded

the Edward Blevins   <thedward@barsoom.net>    (512) 796-6661
/(0\         mi tavla fo la lojban .i xu do go'i? 
\1)/ .i.e'u ko vitke fi zoi .url. http://www.lojban.org .url.
Today is Prickle-Prickle, the 25th day of Bureaucracy in the YOLD 3172
diff -Naurd build-tree/apache_1.3.34/src/modules/standard/mod_cgi.c apache_1.3.34-cgi-acl-fix/src/modules/standard/mod_cgi.c
--- build-tree/apache_1.3.34/src/modules/standard/mod_cgi.c	2004-11-24 13:10:19.000000000 -0600
+++ apache_1.3.34-cgi-acl-fix/src/modules/standard/mod_cgi.c	2006-09-01 16:02:49.821235919 -0500
@@ -382,9 +382,14 @@
 	return log_scripterror(r, conf, FORBIDDEN, APLOG_NOERRNO,
 			       "attempt to invoke directory as script");
     if (!ap_suexec_enabled) {
-	if (!ap_can_exec(&r->finfo))
-	    return log_scripterror(r, conf, FORBIDDEN, APLOG_NOERRNO,
-				   "file permissions deny server execution");
+        if(access(r->filename, X_OK)) {
+          if (errno == EACCES)
+            return log_scripterror(r, conf, FORBIDDEN, APLOG_NOERRNO,
+                                   "file permissions deny server execution");
+          else
+          return log_scripterror(r, conf, SERVER_ERROR, APLOG_NOERRNO,
+                                 "system error checking execute access");
+        }
     if ((retval = ap_setup_client_block(r, REQUEST_CHUNKED_ERROR)))

Reply to: