Debian Bug report logs - #528062
apache2: mod_userdir is broken with respect to suexec support. patch included

version graph

Package: apache2; Maintainer for apache2 is Debian Apache Maintainers <debian-apache@lists.debian.org>; Source for apache2 is src:apache2.

Reported by: "Witold Baryluk" <baryluk@smp.if.uj.edu.pl>

Date: Sun, 10 May 2009 15:54:01 UTC

Severity: normal

Found in version apache2/2.2.11-3

Forwarded to https://issues.apache.org/bugzilla/show_bug.cgi?id=49439

Reply or subscribe to this bug.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Debian Apache Maintainers <debian-apache@lists.debian.org>:
Bug#528062; Package apache2. (Sun, 10 May 2009 15:54:05 GMT) Full text and rfc822 format available.

Acknowledgement sent to "Witold Baryluk" <baryluk@smp.if.uj.edu.pl>:
New Bug report received and forwarded. Copy sent to Debian Apache Maintainers <debian-apache@lists.debian.org>. (Sun, 10 May 2009 15:54:05 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: "Witold Baryluk" <baryluk@smp.if.uj.edu.pl>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: apache2: mod_userdir is broken with respect to suexec support. patch included
Date: Sun, 10 May 2009 17:47:01 +0200
[Message part 1 (text/plain, inline)]
Package: apache2
Version: 2.2.11-3
Severity: important

Hi,

on one of my production system I'm using ldap_userdir which borrowed code
from mod_userdir. After some investigation (suexec support was naccassary)
that there is error in suexec handling, and it existed many years unnoticed.

Hopefully mod-ldap-userdir author accepted my patches (about request notes,
and some bad usage of strtoul) and everything works out of box on lenny now.


Bud bad code in mod_userdir still exists.

I'm attaching the patch for mod_userdir.c. (based on patch for mod_ldap_userdir.c)

It was tested and works correctly. Please apply and notify upstream if possible.

Thanks you.


-- System Information:
Debian Release: 5.0.1
  APT prefers stable
  APT policy: (500, 'stable')
Architecture: i386 (i686)

Kernel: Linux 2.6.26-1-686 (SMP w/2 CPU cores)
Locale: LANG=pl_PL.UTF-8, LC_CTYPE=pl_PL.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages apache2 depends on:
pn  apache2-mpm-worker | apache2- <none>     (no description available)

apache2 recommends no packages.

apache2 suggests no packages.
[userdir-suexec-fix.patch (text/x-c, attachment)]

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Apache Maintainers <debian-apache@lists.debian.org>:
Bug#528062; Package apache2. (Sun, 10 May 2009 17:45:02 GMT) Full text and rfc822 format available.

Acknowledgement sent to sf@debian.org, 528062@bugs.debian.org:
Extra info received and forwarded to list. Copy sent to Debian Apache Maintainers <debian-apache@lists.debian.org>. (Sun, 10 May 2009 17:45:02 GMT) Full text and rfc822 format available.

Message #10 received at 528062@bugs.debian.org (full text, mbox):

From: Stefan Fritsch <sf@sfritsch.de>
To: "Witold Baryluk" <baryluk@smp.if.uj.edu.pl>
Cc: 528062@bugs.debian.org
Subject: Re: Bug#528062: apache2: mod_userdir is broken with respect to suexec support. patch included
Date: Sun, 10 May 2009 19:43:44 +0200
On Sunday 10 May 2009, Witold Baryluk wrote:
> on one of my production system I'm using ldap_userdir which
> borrowed code from mod_userdir. After some investigation (suexec
> support was naccassary) that there is error in suexec handling, and
> it existed many years unnoticed.


> It was tested and works correctly. Please apply and notify upstream
> if possible.


Thanks for your patch. Please be a bit more verbose on what the actual 
problem was and how it can be reproduced.

Stefan




Information forwarded to debian-bugs-dist@lists.debian.org, Debian Apache Maintainers <debian-apache@lists.debian.org>:
Bug#528062; Package apache2. (Sun, 10 May 2009 19:09:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to Witold Baryluk <baryluk@smp.if.uj.edu.pl>:
Extra info received and forwarded to list. Copy sent to Debian Apache Maintainers <debian-apache@lists.debian.org>. (Sun, 10 May 2009 19:09:04 GMT) Full text and rfc822 format available.

Message #15 received at 528062@bugs.debian.org (full text, mbox):

From: Witold Baryluk <baryluk@smp.if.uj.edu.pl>
To: sf@debian.org, 528062@bugs.debian.org
Subject: Re: Bug#528062: apache2: mod_userdir is broken with respect to suexec support. patch included
Date: Sun, 10 May 2009 21:04:49 +0200
[Message part 1 (text/plain, inline)]
Dnia 2009-05-10, nie o godzinie 19:43 +0200, Stefan Fritsch pisze:
> On Sunday 10 May 2009, Witold Baryluk wrote:
> > on one of my production system I'm using ldap_userdir which
> > borrowed code from mod_userdir. After some investigation (suexec
> > support was naccassary) that there is error in suexec handling, and
> > it existed many years unnoticed.
> 
> 
> > It was tested and works correctly. Please apply and notify upstream
> > if possible.
> 
> 
> Thanks for your patch. Please be a bit more verbose on what the actual 
> problem was and how it can be reproduced.
> 
> Stefan

I will try provide simple example, but actually suexec configuration
isn't simple.

I have apache2 configured with mod_userdir + mod_suexec + mod_fcgid (for
runing php5-cgi in my case).


According to http://httpd.apache.org/docs/2.2/suexec.html#usage
handling of /~baryluk/ should automagically work (by working, I mean fcgid scripts
are run under uid baryluk).

Currently this scripts are run under the www-data uid, because
as I first written mod_userdir.c is not working correctly (not to be honest,
not well tested - this error is sitting there very very long).

There is also some comments in patch. Author of mod_ldap_userdir.c can
also help, but first ask me about any problems. We don't need to bother
him. ;)

Hope this will help.

-- 
Witold Baryluk
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Apache Maintainers <debian-apache@lists.debian.org>:
Bug#528062; Package apache2. (Fri, 29 May 2009 12:45:02 GMT) Full text and rfc822 format available.

Acknowledgement sent to Witold Baryluk <baryluk@smp.if.uj.edu.pl>:
Extra info received and forwarded to list. Copy sent to Debian Apache Maintainers <debian-apache@lists.debian.org>. (Fri, 29 May 2009 12:45:03 GMT) Full text and rfc822 format available.

Message #20 received at 528062@bugs.debian.org (full text, mbox):

From: Witold Baryluk <baryluk@smp.if.uj.edu.pl>
To: sf@debian.org, 528062@bugs.debian.org
Subject: Re: Bug#528062: apache2: mod_userdir is broken with respect to suexec support. patch included
Date: Fri, 29 May 2009 14:43:01 +0200
[Message part 1 (text/plain, inline)]
Dnia 2009-05-10, nie o godzinie 19:43 +0200, Stefan Fritsch pisze:
> Thanks for your patch. Please be a bit more verbose on what the actual 
> problem was and how it can be reproduced.
> 
> Stefan


Here is my exact (i hope) configuration attached:

# apt-get install apache2 apache2-suexec libapache2-mod-fcgid php5-cgi
# a2enmod actions suexec userdir fcgid

Relevant files in attachment

/etc/apache2/sites-available/default
/etc/apache2/conf.d/php-fcgid.conf

/home/baryluk/public_html/test.php
/home/baryluk/public_html/fcgi-bin/php-fcgi-wrapper
/home/baryluk/public_html/.htaccess
(edit the last one if other username needed)

# chown -R baryluk:users /home/baryluk/public_html

# /etc/init.d/apache2 restart

Then point your web browser to http://servername/~baryluk/test.php

You will see, `whoami` output one the first line. It will say
"www-data", but should say "baryluk".

This simply mean that suexec support in userdir is not working
correctly.


Patch in first post resolves this problem. There was identical problem
in ldap-userdir, but is already solved there in the same way.


-- 
Witold Baryluk
[.htaccess (text/plain, attachment)]
[default (text/plain, attachment)]
[php-fcgid.conf (text/plain, attachment)]
[php-fcgi-wrapper (application/x-shellscript, attachment)]
[test.php (application/x-php, attachment)]
[signature.asc (application/pgp-signature, inline)]

Severity set to 'normal' from 'important' Request was from Stefan Fritsch <sf@debian.org> to control@bugs.debian.org. (Wed, 29 Jul 2009 23:42:02 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Apache Maintainers <debian-apache@lists.debian.org>:
Bug#528062; Package apache2. (Mon, 19 Oct 2009 19:19:12 GMT) Full text and rfc822 format available.

Acknowledgement sent to "Witold Baryluk" <baryluk@smp.if.uj.edu.pl>:
Extra info received and forwarded to list. Copy sent to Debian Apache Maintainers <debian-apache@lists.debian.org>. (Mon, 19 Oct 2009 19:19:12 GMT) Full text and rfc822 format available.

Message #27 received at 528062@bugs.debian.org (full text, mbox):

From: "Witold Baryluk" <baryluk@smp.if.uj.edu.pl>
To: 528062@bugs.debian.org
Subject: Bug#528062: apache2: mod_userdir is broken with respect to suexec
Date: Mon, 19 Oct 2009 21:05:26 +0200
[Message part 1 (text/plain, inline)]
Hi,

is anybody wanting to review my patches?


They are really simple. And without them half of functionality
of suexec is not existing. And it doesn't agree at all with documentation
of Apache http://httpd.apache.org/docs/2.2/suexec.html#usage
subsection "User directories".



-- 
Witold Baryluk
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Apache Maintainers <debian-apache@lists.debian.org>:
Bug#528062; Package apache2. (Mon, 19 Jul 2010 14:57:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Michal Kovac <michal@voxhub.com>:
Extra info received and forwarded to list. Copy sent to Debian Apache Maintainers <debian-apache@lists.debian.org>. (Mon, 19 Jul 2010 14:57:03 GMT) Full text and rfc822 format available.

Message #32 received at 528062@bugs.debian.org (full text, mbox):

From: Michal Kovac <michal@voxhub.com>
To: 528062@bugs.debian.org
Subject: is this getting fixed?
Date: Mon, 19 Jul 2010 15:46:28 +0100
Hello,

I am getting a bit disenchanted with Debian BTS thanks to this bug. How 
much easier could Witold have made it?

He described the bug, submitted a patch. A year later, I'm still having 
to use his patch to run my Apache. Have we gone 12 years back in time? 
Is patching and compiling now a required skill for Debian users? I 
thought we left that behind with Potato.

Regards, Michal




Information forwarded to debian-bugs-dist@lists.debian.org, Debian Apache Maintainers <debian-apache@lists.debian.org>:
Bug#528062; Package apache2. (Thu, 22 Jul 2010 21:03:08 GMT) Full text and rfc822 format available.

Acknowledgement sent to Stefan Fritsch <sf@sfritsch.de>:
Extra info received and forwarded to list. Copy sent to Debian Apache Maintainers <debian-apache@lists.debian.org>. (Thu, 22 Jul 2010 21:03:08 GMT) Full text and rfc822 format available.

Message #37 received at 528062@bugs.debian.org (full text, mbox):

From: Stefan Fritsch <sf@sfritsch.de>
To: Michal Kovac <michal@voxhub.com>
Cc: 528062@bugs.debian.org, control@bugs.debian.org
Subject: Re: Bug#528062: is this getting fixed?
Date: Thu, 22 Jul 2010 23:01:08 +0200
tags 528062 +patch
thanks

On Monday 19 July 2010, Michal Kovac wrote:
> He described the bug, submitted a patch.

Sorry, this has somehow fallen through the cracks. I will try to get 
it fixed before squeeze is released.





Added tag(s) patch. Request was from Stefan Fritsch <sf@sfritsch.de> to control@bugs.debian.org. (Thu, 22 Jul 2010 21:03:10 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Apache Maintainers <debian-apache@lists.debian.org>:
Bug#528062; Package apache2. (Sat, 24 Jul 2010 20:15:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Stefan Fritsch <sf@sfritsch.de>:
Extra info received and forwarded to list. Copy sent to Debian Apache Maintainers <debian-apache@lists.debian.org>. (Sat, 24 Jul 2010 20:15:03 GMT) Full text and rfc822 format available.

Message #44 received at 528062@bugs.debian.org (full text, mbox):

From: Stefan Fritsch <sf@sfritsch.de>
To: 528062@bugs.debian.org
Subject: needs testing with include exec
Date: Sat, 24 Jul 2010 22:12:28 +0200 (CEST)
I suspect that the patch would break suexec for mod_include's exec 
subrequests, but haven't tested it yet. Maybe the note needs to be set 
both on the main and the sub request.




Information forwarded to debian-bugs-dist@lists.debian.org, Debian Apache Maintainers <debian-apache@lists.debian.org>:
Bug#528062; Package apache2. (Tue, 19 Oct 2010 16:03:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Christopher Huhn <c.huhn@gsi.de>:
Extra info received and forwarded to list. Copy sent to Debian Apache Maintainers <debian-apache@lists.debian.org>. (Tue, 19 Oct 2010 16:03:03 GMT) Full text and rfc822 format available.

Message #49 received at 528062@bugs.debian.org (full text, mbox):

From: Christopher Huhn <c.huhn@gsi.de>
To: 528062@bugs.debian.org
Subject: Supplied patch breaks working installations with php and suexec
Date: Tue, 19 Oct 2010 17:53:53 +0200
 Hi,

I tested the patch for a Lenny server with quite some public_html 
UserDirs - I suspect that my observations also apply to Squeeze.

The behavior of our configuration with the default Apache packages is 
that normal CGI scripts in public_html dirs are running under the owners 
uid, while php scripts are executed as www-data. We don't use fcgid.
Our desired behavior would be that CGI scripts as well as PHP scripts 
run under the owners uid. This can be quite easily setup with suphp, but 
a solution that only requires suexec would be nice.

With the supplied patch PHP scripts are run under the owners uid *if and 
only if* the php binary is copied to every public_html dir that contains 
php scripts, symlinking does not seem to work here.
Also mod_action has to be configured correctly (which I did not figure 
out yet for *many* userdirs).

Without further action the patch completely breaks PHP script execution 
(Error 500) beneath user dirs when suexec is enabled.

IMHO it is far from production ready. For only few different users it is 
rather simple to set up different vhosts with explicit SuexecUserGroup 
configs that will give you the same results.

Just my ยข 2,
    Christopher






Information forwarded to debian-bugs-dist@lists.debian.org, Debian Apache Maintainers <debian-apache@lists.debian.org>:
Bug#528062; Package apache2. (Sun, 23 Jan 2011 01:39:06 GMT) Full text and rfc822 format available.

Acknowledgement sent to "Witold Baryluk" <baryluk@smp.if.uj.edu.pl>:
Extra info received and forwarded to list. Copy sent to Debian Apache Maintainers <debian-apache@lists.debian.org>. (Sun, 23 Jan 2011 01:39:06 GMT) Full text and rfc822 format available.

Message #54 received at 528062@bugs.debian.org (full text, mbox):

From: "Witold Baryluk" <baryluk@smp.if.uj.edu.pl>
To: 528062@bugs.debian.org, Christopher Huhn <c.huhn@gsi.de>
Subject: Supplied patch breaks working installations with php and suexec
Date: Sun, 23 Jan 2011 02:32:03 +0100
[Message part 1 (text/plain, inline)]
> With the supplied patch PHP scripts are run under the owners uid *if and 
> only if* the php binary is copied to every public_html dir that contains 
> php scripts, symlinking does not seem to work here.

It do not need to be copied. I would not even advise this as it will be problematic
due to the disk usage, cache usage and problems with php upgrades.


It is sufficient to create 2 line shell script (as ~/public_html/fcgi-bin/php-fcgi-wrapper)

#!/bin/sh
exec /usr/bin/php5-cgi

It is needed becuase of suexec behaviour of running only fcgi scripts being owned by user,
and being in proper subdirectory. I already given this wrapper in message #20, as php-fcgi-wrapper.
There is nothing unsafe in this file being editable by user, it will be anyway started
with rights of user, and nothing beyond what already can be broken in normal php will be broken.
(like starting other programs or deleting files).

I would not say this breaks suexec. It actually makes suexec work as described in Apache documentation.


Also mod_action beheaves in normal way. This is setuped using per directory .htaccess,
for exaempl "Action php-fcgi /~baryluk/fcgi-bin/php-fcgi-wrapper".
It is also safe to make this file user-editable. It can be owned by somebody else
if one really need, or written directly in main configuration file (nested in proper Directory section),
or upper in directory hierarchy. It will not break anything.

> Also mod_action has to be configured correctly (which I did not figure 
> out yet for *many* userdirs).

I have currently .htaccess in each individual public_html dir of each user
which want to have php. The problem you state, is like saying to express:

For each php handler with url matchinng "^/~([^/]+)/", use "/~$1/fcgi-bin/php-fcgi-wrapper" as Action.

IMHO problem that this is not supported, is problem with mod_actions module, not this patch.


> IMHO it is far from production ready. For only few different users it is 
> rather simple to set up different vhosts with explicit SuexecUserGroup 
> configs that will give you the same results.
I have about 200 users, of which about 50 have PHP enabled.
What is even nicer in this (IMHO correct) behaviour after applying patch,
is that user can enable/disable php without administrator.
Similar one can for example change version of php if he/she whishes.
(one can disable this behaviour by disabling htaccess processing,
or disabling overriding Actions in per-directory htaccess).

For simplicity I just have /etc/skel/public_html/.htaccess with proper Action line,
which is comented out, and additional comment what it is, and when it should be comented out.
Similary in /etc/skel/public_html/cgi-bin/php5-fcgi-wrapper i have above script
(with commented exec and comment that it should uncommented if one wishes PHP).
This makes all new users have this files. For old users I copied this files
using simple script.

BTW. I have disabled php by default as additional security precaution.
But one can of course enable it by default, and it will by still good.


> Without further action the patch completely breaks PHP script execution 
> (Error 500) beneath user dirs when suexec is enabled.
In my opinion it is not true. It is just a way suexec works.
You need to configure it carefully becuase it is very strict.
This is also the reason i provided step-by-step detailed configuration
(on clean setup with patch).

According to the suexec documentation the behaviour of patch is correct.
(or maybe you are talking about some other way of exeuting php script?
like mod_php or other form of cgi of suphp, etc).

Thanks for your comments!


From: Stefan Fritsch
> I suspect that the patch would break suexec for mod_include's exec 
> subrequests, but haven't tested it yet. Maybe the note needs to be set 
> both on the main and the sub request.

It is possible. But I do not use includes, and do knot know how exactly they works.
I reported this problem with patch on Apache bugzilla, but nobody from developers
responds. :(

Bug entry is here https://issues.apache.org/bugzilla/show_bug.cgi?id=49439

PS. Exact configuration can be also found on https://issues.apache.org/bugzilla/show_bug.cgi?id=49439#c6


-- 
Witold Baryluk
JID: witold.baryluk // jabster.pl
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Apache Maintainers <debian-apache@lists.debian.org>:
Bug#528062; Package apache2. (Sun, 18 Dec 2011 18:15:05 GMT) Full text and rfc822 format available.

Acknowledgement sent to 528062@bugs.debian.org:
Extra info received and forwarded to list. Copy sent to Debian Apache Maintainers <debian-apache@lists.debian.org>. (Sun, 18 Dec 2011 18:15:06 GMT) Full text and rfc822 format available.

Message #59 received at 528062@bugs.debian.org (full text, mbox):

From: Stefan Fritsch <sf@sfritsch.de>
To: "Witold Baryluk" <baryluk@smp.if.uj.edu.pl>
Cc: 528062@bugs.debian.org, control@bugs.debian.org
Subject: Re: Bug#528062: Supplied patch breaks working installations with php and suexec
Date: Sun, 18 Dec 2011 19:12:05 +0100
tags 528062 -patch
forwarded 528062 
https://issues.apache.org/bugzilla/show_bug.cgi?id=49439
thanks

On Sunday 23 January 2011, Witold Baryluk wrote:
> I reported this problem with patch on Apache bugzilla, but nobody
> from developers responds. :(
> 
> Bug entry is here
> https://issues.apache.org/bugzilla/show_bug.cgi?id=49439

As discussed in the upstream bug report, it is far from clear that 
your patch does not break other things or cause wrong behavior with 
other configurations. Therefore I am removing the patch tag.

Further discussion should happen in the upstream report.




Removed tag(s) patch. Request was from Stefan Fritsch <sf@sfritsch.de> to control@bugs.debian.org. (Sun, 18 Dec 2011 18:15:09 GMT) Full text and rfc822 format available.

Set Bug forwarded-to-address to 'https://issues.apache.org/bugzilla/show_bug.cgi?id=49439'. Request was from Stefan Fritsch <sf@debian.org> to control@bugs.debian.org. (Sun, 18 Dec 2011 18:27:07 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Thu Apr 24 15:37:56 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.