Bug#385656: apache: mod_cgi does not play well with Posix ACLs
Package: apache
Version: 1.3.34-4+aclfix
Severity: normal
Apache's mod_cgi will not execute cgi scripts that
have an ACL entry allowing www-data to execute them
unless they also have standard Unix permissions
allowing execution. Thus defeating the purpose of using
the ACL in the first place.
I have attached a patch that seems to work for me.
-- System Information:
Debian Release: 3.1
APT prefers testing
APT policy: (500, 'testing'), (500, 'stable')
Architecture: i386 (i686)
Shell: /bin/sh linked to /bin/bash
Kernel: Linux 2.6.15-1-686
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Versions of packages apache depends on:
ii apache-common 1.3.34-4+aclfix support files for all Apache webse
ii debconf [debconf-2.0] 1.4.30.11 Debian configuration management sy
ii libc6 2.3.6-7 GNU C Library: Shared libraries
ii libdb4.4 4.4.20-3 Berkeley v4.4 Database Libraries [
ii libexpat1 1.95.8-3.2 XML parsing C library - runtime li
ii libmagic1 4.12-1 File type determination library us
ii logrotate 3.7-2 Log rotation utility
ii lsb-base 3.0-16 Linux Standard Base 3.0 init scrip
ii mime-support 3.28-1 MIME files 'mime.types' & 'mailcap
ii perl 5.8.8-6.1 Larry Wall's Practical Extraction
apache recommends no packages.
-- debconf information excluded
--
the Edward Blevins <thedward@barsoom.net> (512) 796-6661
/(0\ mi tavla fo la lojban .i xu do go'i?
\1)/ .i.e'u ko vitke fi zoi .url. http://www.lojban.org .url.
Today is Prickle-Prickle, the 25th day of Bureaucracy in the YOLD 3172
diff -Naurd build-tree/apache_1.3.34/src/modules/standard/mod_cgi.c apache_1.3.34-cgi-acl-fix/src/modules/standard/mod_cgi.c
--- build-tree/apache_1.3.34/src/modules/standard/mod_cgi.c 2004-11-24 13:10:19.000000000 -0600
+++ apache_1.3.34-cgi-acl-fix/src/modules/standard/mod_cgi.c 2006-09-01 16:02:49.821235919 -0500
@@ -382,9 +382,14 @@
return log_scripterror(r, conf, FORBIDDEN, APLOG_NOERRNO,
"attempt to invoke directory as script");
if (!ap_suexec_enabled) {
- if (!ap_can_exec(&r->finfo))
- return log_scripterror(r, conf, FORBIDDEN, APLOG_NOERRNO,
- "file permissions deny server execution");
+ if(access(r->filename, X_OK)) {
+ if (errno == EACCES)
+ return log_scripterror(r, conf, FORBIDDEN, APLOG_NOERRNO,
+ "file permissions deny server execution");
+ else
+ return log_scripterror(r, conf, SERVER_ERROR, APLOG_NOERRNO,
+ "system error checking execute access");
+ }
}
if ((retval = ap_setup_client_block(r, REQUEST_CHUNKED_ERROR)))
Reply to: