[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#1014056: apache2: /var/run/apache2 permissions too narrow for cgid

On 29/06/2022 16:51, MK wrote:
Package: apache2
Version: 2.4.53-1~deb11u1
Severity: minor

Dear Maintainer,

*** Reporter, please consider answering these questions, where appropriate ***

Enabling cgid in apache2 (with a2enmod cgid) results in an error when using mpm_event:
     [cgid:error] [pid 8943:tid 140189712234240] (22)Invalid argument: [client x.x.x.x:49364] AH01257: unable to connect to cgi daemon after multiple tries: /usr/lib/cgi-bin/xxxxxx
Meanwhile, the user receives a 503 HTTP error, rather than the CGI content.

Upon launch, Apache creates /var/run/apache2/cgisock.PID (where PID is the PID in question), however it does that as the www-data user and root group, who does not have write access to /var/run/apache2 (where only the root user has write permission).

To fix this, chmod g+rwx /var/run/apache2 fixes the issue.  Since we're only adding the root group, this likely has a minimal security effect.

Alternately, the default directive of
     /etc/apache2/mods-available/cgid.conf:    ScriptSock ${APACHE_RUN_DIR}/cgisock
Should not point to a folder that does not have write access by www-data user and a subfolder with more open permission should be created.


Thanks for the report. Alternative: I tried to move cgid socket into ${APACHE_RUN_DIR}/socks/cgisock, created now by apache2ctl and owned by www-data (https://salsa.debian.org/apache-team/apache2/-/pipelines/395609). Then no security changes.

Let's wait for pipeline result

Reply to: