[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#1014056: marked as done (apache2: /var/run/apache2 permissions too narrow for cgid)

Your message dated Fri, 08 Jul 2022 07:04:02 +0000
with message-id <E1o9i1y-000HP6-7S@fasolo.debian.org>
and subject line Bug#1014056: fixed in apache2 2.4.54-2
has caused the Debian Bug report #1014056,
regarding apache2: /var/run/apache2 permissions too narrow for cgid
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org

1014056: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1014056
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message ---
Package: apache2
Version: 2.4.53-1~deb11u1
Severity: minor

Dear Maintainer,

*** Reporter, please consider answering these questions, where appropriate ***

Enabling cgid in apache2 (with a2enmod cgid) results in an error when using mpm_event:
    [cgid:error] [pid 8943:tid 140189712234240] (22)Invalid argument: [client x.x.x.x:49364] AH01257: unable to connect to cgi daemon after multiple tries: /usr/lib/cgi-bin/xxxxxx
Meanwhile, the user receives a 503 HTTP error, rather than the CGI content.

Upon launch, Apache creates /var/run/apache2/cgisock.PID (where PID is the PID in question), however it does that as the www-data user and root group, who does not have write access to /var/run/apache2 (where only the root user has write permission).

To fix this, chmod g+rwx /var/run/apache2 fixes the issue.  Since we're only adding the root group, this likely has a minimal security effect.

Alternately, the default directive of
    /etc/apache2/mods-available/cgid.conf:    ScriptSock ${APACHE_RUN_DIR}/cgisock
Should not point to a folder that does not have write access by www-data user and a subfolder with more open permission should be created.

-- Package-specific info:

-- System Information:
Debian Release: 11.3
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 5.10.0-15-amd64 (SMP w/4 CPU threads)
Locale: LANG=en_CA.UTF-8, LC_CTYPE=en_CA.UTF-8 (charmap=UTF-8), LANGUAGE=en_CA:en
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages apache2 depends on:
ii  apache2-bin          2.4.53-1~deb11u1
ii  apache2-data         2.4.53-1~deb11u1
ii  apache2-utils        2.4.53-1~deb11u1
ii  dpkg                 1.20.10
ii  init-system-helpers  1.60
ii  lsb-base             11.1.0
ii  mime-support         3.66
ii  perl                 5.32.1-4+deb11u2
ii  procps               2:3.3.17-5

Versions of packages apache2 recommends:
ii  ssl-cert  1.1.0+nmu1

Versions of packages apache2 suggests:
pn  apache2-doc                                      <none>
pn  apache2-suexec-pristine | apache2-suexec-custom  <none>
pn  www-browser                                      <none>

Versions of packages apache2-bin depends on:
ii  libapr1                  1.7.0-6+deb11u1
ii  libaprutil1              1.6.1-5
ii  libaprutil1-dbd-sqlite3  1.6.1-5
ii  libaprutil1-ldap         1.6.1-5
ii  libbrotli1               1.0.9-2+b2
ii  libc6                    2.31-13+deb11u3
ii  libcrypt1                1:4.4.18-4
ii  libcurl4                 7.74.0-1.3+deb11u1
ii  libjansson4              2.13.1-1.1
ii  libldap-2.4-2            2.4.57+dfsg-3+deb11u1
ii  liblua5.3-0              5.3.3-1.1+b1
ii  libnghttp2-14            1.43.0-1
ii  libpcre3                 2:8.39-13
ii  libssl1.1                1.1.1n-0+deb11u3
ii  libxml2                  2.9.10+dfsg-6.7+deb11u2
ii  perl                     5.32.1-4+deb11u2
ii  zlib1g                   1:1.2.11.dfsg-2+deb11u1

Versions of packages apache2-bin suggests:
pn  apache2-doc                                      <none>
pn  apache2-suexec-pristine | apache2-suexec-custom  <none>
pn  www-browser                                      <none>

Versions of packages apache2 is related to:
ii  apache2      2.4.53-1~deb11u1
ii  apache2-bin  2.4.53-1~deb11u1

-- no debconf information

--- End Message ---
--- Begin Message ---
Source: apache2
Source-Version: 2.4.54-2
Done: Yadd <yadd@debian.org>

We believe that the bug you reported is fixed in the latest version of
apache2, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1014056@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
Yadd <yadd@debian.org> (supplier of updated apache2 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)

Hash: SHA512

Format: 1.8
Date: Tue, 05 Jul 2022 15:49:58 +0200
Source: apache2
Built-For-Profiles: nocheck
Architecture: source
Version: 2.4.54-2
Distribution: unstable
Urgency: medium
Maintainer: Debian Apache Maintainers <debian-apache@lists.debian.org>
Changed-By: Yadd <yadd@debian.org>
Closes: 1014056
 apache2 (2.4.54-2) unstable; urgency=medium
   * Move cgid socket into a writeable directory (Closes: #1014056)
   * Update lintian overrides
   * Declare compliance with policy 4.6.1
   * Install NOTICE in each package
 226a920fa24572c8830260faabf41cd54f489263 3488 apache2_2.4.54-2.dsc
 ce536f24a36c06243b691c9ca164c4e3eba875ca 899544 apache2_2.4.54-2.debian.tar.xz
 a7a5025128d97f4477819a9f77eea997cdd3c509e6f7e1db011ea53ba297f44a 3488 apache2_2.4.54-2.dsc
 a7f1eea74cdd1566b8af3df1fcd46dc2457eb705380bccd4c3c8bdfa3774712d 899544 apache2_2.4.54-2.debian.tar.xz
 f65a84c5fae1dce3c96ba8dea6f6401e 3488 httpd optional apache2_2.4.54-2.dsc
 acb82e34859ad39e7b500c8dd9b06078 899544 httpd optional apache2_2.4.54-2.debian.tar.xz



--- End Message ---

Reply to: