Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 5310 - Apache needs MULTIPLE_GROUPS option?
Summary: Apache needs MULTIPLE_GROUPS option?
Keywords:
Status: CLOSED WONTFIX
Alias: None
Product: Red Hat Linux
Classification: Retired
Component: apache
Version: 6.0
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Preston Brown
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 1999-09-22 19:06 UTC by dave
Modified: 2008-05-01 15:37 UTC (History)
0 users

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 1999-12-06 18:34:28 UTC


Attachments (Terms of Use)

Description dave 1999-09-22 19:06:13 UTC
I installed the Apache 1.3.6 package and modified the
configuration to run under a new user I created named
"httpd".  httpd's primary group is also named "httpd", and
then it is a member of the "video" group as well.

From /etc/group:

video:x:401:httpd,admin

I have a CGI that I want to make executable only by the
"video" group...

-r-xr-x---   1 root     video          77 Sep 22 11:56
test.cgi

...however Apache will refuse to execute it.  I get the
following error message in /etc/httpd/logs/error_log:

Wed Sep 22 12:18:48 1999] [error] [client 127.0.0.1] file
permissions deny server execution:
/video/tools/htdocs/test.cgi

It works fine if I chgrp it to "httpd".

test.cgi, by the way, contains the following:

#!/bin/sh
echo "Content-Type: text/plain"
echo ""
echo -n "id -a: "
id -a

It outputs...

id -a: uid=16(httpd) gid=16(httpd)
groups=16(httpd),401(video)

...so I know that httpd truly is a member of the group and
_should_ have permission to execute the script chgrp'd to
video.

Looking through the sources, I can see that
modules/standard/mod_cgi.c is calling ap_can_exec() from
ap/util.c, which checks the uid and gid of the file against
the current user and group.  There is support for
supplementary groups, but it's wrapped in #ifdef
MULITPLE_GROUPS .. #endif statements.

I assume this means that Apache needs to be recompiled with
the MULTIPLE_GROUPS option?

Comment 1 Preston Brown 1999-12-06 18:34:59 UTC
This feature has enough additional security implications that we do not want it
turned on by default.  This is also why it isn't documented in the apache
documentation nor supported as a configuration-time option.

You may recompile your apache and #define the preprocessor directive in httpd.h
if you need this feature.


Note You need to log in before you can comment on or make changes to this bug.