[tech] Apache and suexec

David Adam zanchey at ucc.gu.uwa.edu.au
Wed Oct 7 09:30:27 AWST 2015 

CGI scripts stopped working a while back - probably on 21/9/2015. They're 
fixed now.

Some background is probably helpful. The web server has the ability to run 
programs for our users, but for security reasons it runs them in the 
security context of the person who owns the program. This is done through 
a mechanism called "suexec".

Unfortunately, the restrictions that suexec imposes are too tight for 
UCC's use. In particular, it prevents any programs running for wheel 
members (who have a group ID of 0) and requires all programs to be in a 
predetermined, compiled-in directory of "public_html" (we use 
public-html).

In order to work around that, we have a custom-compiled version of the 
suexec helper (/usr/lib/apache2/suexec). It doesn't get upgraded with each 
version of Apache, because it has to be done by hand. The offical suexec 
binary gets put in /usr/lib/apache2/suexec.debian, thanks to the magic 
of dpkg-divert.

The existing helper was for some reason compiled against BDB 4.2, which 
got removed from the system as it had nothing marked as depending on it on 
21/9. Then the suexec helper refused to load, failing with 
"/usr/lib/apache2/suexec: error while loading shared libraries: 
libdb-4.2.so: cannot open shared object file: No such file or directory"

I downloaded the Apache source (apt-get source apache2) and patched the 
suexec program:

In support/suexec.h:
 - dropped MIN_GID to 0
 - defined AP_DOC_ROOT to "/" (and removed the #ifdef guarding it)
 - defined AP_USERDIR_SUFFIX to "public-html" (and removed the #ifdef 
   guarding it)
 - defined AP_HTTPD_USER to "www-data"

In support/suexec.c:
 - removed the check for GID == 0
 - removed part of the Debian patch 
   debian/patches/058_suexec-CVE-2007-1742: not the bit that fixes the 
   race condition, but the part that always appends a "/" to the DOC_ROOT.

Then I compiled it (debian/rules binary), verified the build flags were 
correct (debian/apache2-suexec/usr/lib/apache2/suexec -V), and copied it 
into place (cp debian/apache2-suexec/usr/lib/apache2/suexec 
/usr/lib/apache2/suexec).

Easy right? It only took about seven attempts.

This dance will have to be done again when we upgrade to Apache 2.4. I 
really can't think of any way around it; [TRS] suggested a per-user CGID 
but I don't know that these are actually plausible.

David Adam
UCC Wheel Member
zanchey at ucc.gu.uwa.edu.au

More information about the tech mailing list