|
|
08-02-2007, 10:48 AM
|
|
Senior Member
|
|
Join Date: Jul 2007
Location: /dev/null
Posts: 290
|
|
|
Hmm,
Sorry to keep taking right turns here, but either I'm not understanding or suexec simply works "differenty" under LSWS. In a default cPanel install let's say we have the following:
/home/user-1/
/home/user-1/public_html
/home/user-2/
/home/user-2/public_html
under /home/user-1 I create a simple text file (let's just call it junk.txt). In user-2 I created a small cgi program (perl) that opened /home/user-1/junk.txt. Under Apache suexec I got a 500 error and a message in the suexec log that the uid/gid does not match (so the file could not be opened). LSWS otoh easily opened the file.
I'm hoping I just have something configured wrong.
TIA,
Frank
|
08-02-2007, 11:09 AM
|
|
LiteSpeed Staff
|
|
Join Date: May 2003
Location: New Jersey
Posts: 7,590
|
|
Quote:
|
I got a 500 error and a message in the suexec log that the uid/gid does not match (so the file could not be opened)
|
I might be wrong, but I believe the 500 error is not because the CGI accessing another user's file, Apache will not check what the script does. Apache suEXEC has many restrictions, in this case, maybe the requirement of ownership of the script does not meet. You will get 500 error even when the script trying to access a file under user-2's home directory. Apache simple wont run the script no matter what. If all the requirement of Apache CGI suEXEC has been met, the script should has not problem access user-1's file, same result as with LSWS.
To prevent one user from reading or writing another user's file, the file system permission need to be set properly. If you make user-1's home directory NOT world readable, then scripts run under user-2 will not able to access user-1's files. |
08-02-2007, 11:18 AM
|
|
Senior Member
|
|
Join Date: Jul 2007
Location: /dev/null
Posts: 290
|
|
Sorry, not trying to stir up trouble, but I'm trying to evaluate LSWS as a "drop in" replacement for Apache on cPanel. Here is the line from the suexec_log:
Code:
[2007-08-02 13:13:10]: error: target uid/gid (32003/32005) mismatch with directory (32003/32005) or program (99/99) or trusted user (0/10)
You are correct that Apache does not check the file ownership or what the script does, but suexec does. While I agree that permissions may not be optimal, it works as we expect under Apache/suexec and it works differently under LSWS. We just need to figure out a way to make LSWS work like Apahce/suexec.
TIA,
Frank
|
08-02-2007, 11:58 AM
|
|
LiteSpeed Staff
|
|
Join Date: May 2003
Location: New Jersey
Posts: 7,590
|
|
Not a problem.
Some of the restriction of Apache suEXEC is not necessary to me, as when you make suEXEC happy with the script permission, the end result might be exactly as what LSWS produce without those restrictions.  Basically, we want our suEXEC implementation easy to use while maintain the same level of security as Apache's.
In this case, what you need to do to make Apache suEXEC happy with the script? I assume you need to fix something like ownership/permission of the script. After the fix, does the script work differently than what LSWS does now?
We are open to suggestions on enhancing the security of our product, and we will be very happy to implement a useful feature.
I might be completely wrong as I am not a expert on Apache suEXEC, your current Apache suEXEC may not allow a normal user to execute any CGI script in suEXEC mode, as it may require the script owned by 99/99 or a user other than the user who own the directory, it is not possible for a normal user to change the file ownership.
|
08-02-2007, 12:30 PM
|
|
Senior Member
|
|
Join Date: Jul 2007
Location: /dev/null
Posts: 290
|
|
Well I think this one is necessary  First ignore those other uid/gid's. I'm 99% sure it means that it can't be one of those (they are nobody and root). The closest thing I can equate this functionality to is php openbasedir. We simply could not rely on clients to keep directory permissions correct. There are way too many open source packages that say "chmod 777 ...".
I'm going to send you more details via PM as I don't want to publish these details in public.
Frank
|
08-02-2007, 12:57 PM
|
|
LiteSpeed Staff
|
|
Join Date: May 2003
Location: New Jersey
Posts: 7,590
|
|
|
The way Unix/Linux file system permission works is that if the parent directory is not world readable, then its sub-directories are not world readable no matter what the permission mask is on the subdirectory.
So, if the permission of a user's home directory has been set properly, then other user cannot access any file under that user's home directory no matter what is the permission mask of individual file or directory. Usually, the permission of a user's home directory is set properly by the control panels.
Apache suEXEC care about script file ownership because it run script under the same UID of the owner of the file, while LSWS run everything under the UID of the owner of document root directory, regardless the UID of a specific CGI script.
|
08-02-2007, 01:01 PM
|
|
Senior Member
|
|
Join Date: Jul 2007
Location: /dev/null
Posts: 290
|
|
Quote:
|
Originally Posted by mistwang
Apache suEXEC care about script file ownership because it run script under the same UID of the owner of the file, while LSWS run everything under the UID of the owner of document root directory, regardless the UID of a specific CGI script.
|
I do not believe this to be true. Apache/suexec runs it with the uid/gid that is given in httpd.conf with the User/Group directives. If the User/Group in the config don't match the user/group on the file it will never even run the program.
Frank |
| Thread Tools |
|
|
| Display Modes |
 Linear Mode
|
Posting Rules
|
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
HTML code is Off
|
|
|
All times are GMT -7. The time now is 06:37 PM.
|
|
