Support

ffeingol · #1 08-01-2007, 09:58 PM

Hello,

How do we enable/configure cgi (i.e. perl scripts) suexec when we're using a cPanel / Apache httpd.conf setup?

TIA,

Frank

mistwang · #2 08-02-2007, 06:54 AM

It should be automatic if the virtual host has "User/Group" configuration or "SuexecUserGroup" configuration.

ffeingol · #3 08-02-2007, 07:01 AM

Yep, it's there, but does not seem to be working:

Code:

<VirtualHost x.x.x.x>
ServerAlias www.xx.xx
ServerAdmin webmaster@xx.xx
DocumentRoot /home/xx/public_html
User xxx
Group xxx
ServerName xx.xx

<IfModule mod_suphp.c>
  suPHP_UserGroup xxx xxx
</IfModule>
<IfModule mod_php4.c>
  php_admin_value open_basedir "/home/xxx:/usr/lib/php:/usr/local/lib/php:/tmp:/opt/lsws/share/autoindex"
</IfModule>
<IfModule mod_php5.c>
  php_admin_value open_basedir "/home/xxx:/usr/lib/php:/usr/local/lib/php:/tmp:/opt/lsws/share/autoindex"
</IfModule>

User xxx
Group xxx
BytesLog /usr/local/apache/domlogs/xx.xx.xx-bytes_log
CustomLog /usr/local/apache/domlogs/xx.xx.xx combined
ScriptAlias /cgi-bin/ /home/xxx/public_html/cgi-bin/
</VirtualHost>

Here is the code we're running:

Code:

#! /usr/local/bin/perl

print "Content-type: text/html\n\n";
print "<html><body>\n";
print "hello word\n";
open(PASSW, "/var/cpanel/whmtheme");
while (<PASSW>)
{
  print "*$_ *\n";
}
print "</body></html>\n";

When we access the page we get:

hello world
*x *

So the script is able to open /var/cpanel/whmtheme which is well outside the sites "home directory" and I though would be unaccessible.

TIA,

Frank

mistwang · #4 08-02-2007, 07:13 AM

If the user have read permission on that file, then the script can still read it. LSWS only guarantee itself won't be tricked to serve anything out side the document root, it has no control over a script unless the script is placed in a chroot jail.

You can make the script run slower and check the process uid.

ffeingol · #5 08-02-2007, 07:47 AM

Quote:

Originally Posted by mistwang

You can make the script run slower and check the process uid.

Can you explain this a bit more?

I ran a quick test and you are correct that Apache suexec can read outside the document root (something I did not think it could do). suexec, however, enforces that the uid/gid match or it won't run the script. Is this possible to do with LSWS when it's reading the Apache config?

TIA,

Frank

mistwang · #6 08-02-2007, 08:13 AM

Just add something like "sleep(60)", so you will have time to check the process uid with "ps" command. I believe that the script is run as the uid/gid of the owner of document root.

ffeingol · #7 08-02-2007, 08:31 AM

Yes, the process is running at the proper id (the site owner). How about the uid/gid checks?

TIA,

Frank

mistwang · #8 08-02-2007, 09:37 AM

Quote:

How about the uid/gid checks?

What is this about?

ffeingol · #9 08-02-2007, 09:43 AM

Well LSWS mimics Apache there are checks in place with suexec to insure that the uid/gid of a cgi script matches the uid/gid given in the vhost container.

Frank

mistwang · #10 08-02-2007, 09:56 AM

LiteSpeed uses the uid/gid of the owner of the document root, instead of the owner of the script, in most cases, those two should match.
When they do not match, document root uid is preferred, as it is more secure to us.