[tech] Apache and suexec
David Adam
zanchey at ucc.gu.uwa.edu.au
Wed Oct 7 09:30:27 AWST 2015
CGI scripts stopped working a while back - probably on 21/9/2015. They're
fixed now.
Some background is probably helpful. The web server has the ability to run
programs for our users, but for security reasons it runs them in the
security context of the person who owns the program. This is done through
a mechanism called "suexec".
Unfortunately, the restrictions that suexec imposes are too tight for
UCC's use. In particular, it prevents any programs running for wheel
members (who have a group ID of 0) and requires all programs to be in a
predetermined, compiled-in directory of "public_html" (we use
public-html).
In order to work around that, we have a custom-compiled version of the
suexec helper (/usr/lib/apache2/suexec). It doesn't get upgraded with each
version of Apache, because it has to be done by hand. The offical suexec
binary gets put in /usr/lib/apache2/suexec.debian, thanks to the magic
of dpkg-divert.
The existing helper was for some reason compiled against BDB 4.2, which
got removed from the system as it had nothing marked as depending on it on
21/9. Then the suexec helper refused to load, failing with
"/usr/lib/apache2/suexec: error while loading shared libraries:
libdb-4.2.so: cannot open shared object file: No such file or directory"
I downloaded the Apache source (apt-get source apache2) and patched the
suexec program:
In support/suexec.h:
- dropped MIN_GID to 0
- defined AP_DOC_ROOT to "/" (and removed the #ifdef guarding it)
- defined AP_USERDIR_SUFFIX to "public-html" (and removed the #ifdef
guarding it)
- defined AP_HTTPD_USER to "www-data"
In support/suexec.c:
- removed the check for GID == 0
- removed part of the Debian patch
debian/patches/058_suexec-CVE-2007-1742: not the bit that fixes the
race condition, but the part that always appends a "/" to the DOC_ROOT.
Then I compiled it (debian/rules binary), verified the build flags were
correct (debian/apache2-suexec/usr/lib/apache2/suexec -V), and copied it
into place (cp debian/apache2-suexec/usr/lib/apache2/suexec
/usr/lib/apache2/suexec).
Easy right? It only took about seven attempts.
This dance will have to be done again when we upgrade to Apache 2.4. I
really can't think of any way around it; [TRS] suggested a per-user CGID
but I don't know that these are actually plausible.
David Adam
UCC Wheel Member
zanchey at ucc.gu.uwa.edu.au
More information about the tech
mailing list