Bug#385656: apache: mod_cgi does not play well with Posix ACLs

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#385656: apache: mod_cgi does not play well with Posix ACLs
From: the Edward Blevins <thedward@barsoom.net>
Date: Fri, 1 Sep 2006 16:48:58 -0500
Message-id: <[🔎] 20060901214857.GA14726@diamond.thirdchimp.com>
Reply-to: the Edward Blevins <thedward@barsoom.net>, 385656@bugs.debian.org

Package: apache
Version: 1.3.34-4+aclfix
Severity: normal


Apache's mod_cgi will not execute cgi scripts that
have an ACL entry allowing www-data to execute them 
unless they also have standard Unix permissions 
allowing execution. Thus defeating the purpose of using
the ACL in the first place.

I have attached a patch that seems to work for me.


-- System Information:
Debian Release: 3.1
  APT prefers testing
  APT policy: (500, 'testing'), (500, 'stable')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.15-1-686
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)

Versions of packages apache depends on:
ii  apache-common            1.3.34-4+aclfix support files for all Apache webse
ii  debconf [debconf-2.0]    1.4.30.11       Debian configuration management sy
ii  libc6                    2.3.6-7         GNU C Library: Shared libraries
ii  libdb4.4                 4.4.20-3        Berkeley v4.4 Database Libraries [
ii  libexpat1                1.95.8-3.2      XML parsing C library - runtime li
ii  libmagic1                4.12-1          File type determination library us
ii  logrotate                3.7-2           Log rotation utility
ii  lsb-base                 3.0-16          Linux Standard Base 3.0 init scrip
ii  mime-support             3.28-1          MIME files 'mime.types' & 'mailcap
ii  perl                     5.8.8-6.1       Larry Wall's Practical Extraction 

apache recommends no packages.

-- debconf information excluded

-- 
the Edward Blevins   <thedward@barsoom.net>    (512) 796-6661
/(0\         mi tavla fo la lojban .i xu do go'i? 
\1)/ .i.e'u ko vitke fi zoi .url. http://www.lojban.org .url.
Today is Prickle-Prickle, the 25th day of Bureaucracy in the YOLD 3172

diff -Naurd build-tree/apache_1.3.34/src/modules/standard/mod_cgi.c apache_1.3.34-cgi-acl-fix/src/modules/standard/mod_cgi.c
--- build-tree/apache_1.3.34/src/modules/standard/mod_cgi.c	2004-11-24 13:10:19.000000000 -0600
+++ apache_1.3.34-cgi-acl-fix/src/modules/standard/mod_cgi.c	2006-09-01 16:02:49.821235919 -0500
@@ -382,9 +382,14 @@
 	return log_scripterror(r, conf, FORBIDDEN, APLOG_NOERRNO,
 			       "attempt to invoke directory as script");
     if (!ap_suexec_enabled) {
-	if (!ap_can_exec(&r->finfo))
-	    return log_scripterror(r, conf, FORBIDDEN, APLOG_NOERRNO,
-				   "file permissions deny server execution");
+        if(access(r->filename, X_OK)) {
+          if (errno == EACCES)
+            return log_scripterror(r, conf, FORBIDDEN, APLOG_NOERRNO,
+                                   "file permissions deny server execution");
+          else
+          return log_scripterror(r, conf, SERVER_ERROR, APLOG_NOERRNO,
+                                 "system error checking execute access");
+        }
     }
 
     if ((retval = ap_setup_client_block(r, REQUEST_CHUNKED_ERROR)))

Reply to:

Prev by Date: apr-util 1.2.7+dfsg-2 MIGRATED to testing
Next by Date: Bug#386024: apache2: Indexes ignore large files
Previous by thread: apr-util 1.2.7+dfsg-2 MIGRATED to testing
Next by thread: Bug#386024: apache2: Indexes ignore large files
Index(es):
- Date
- Thread