From: Luc Vincent <luc@vi...> - 2002-11-27 23:12:27
Fellow backuppc users,
I recently upgraded from Red Hat 7.2 to 7.3. I noticed today that this had
the detrimental effect of breaking suEXEC in apache...
More specifically: I noticed apache was giving me an Error 500 when running
BackupPC_Admin. I did some digging, and found that, in fact, I can't run
any 'setuid' CGI scripts. If I run the script manually from within a shell,
things work just fine. For example, I tried the following 'testsetuid', as
suggested by Craig Barratt in an earlier post:
print "Content-type: text/plain\n\n";
printf("My userid is $> (%s)\n", (getpwuid($>)));
This works just fine on the command line, even with the suid bit set
('chmod u+s backuppc testsetuid'). However, no way to make this run when
calling the script from a web browser. Apache just seems to screw things up.
For giggles, I installed the same script on a Red Hat 7.2 machine, and
things worked just fine. So, it appears that, between Red Hat 7.2 and 7.3,
something has changed that breaks suEXEC. I have looked at /usr/sbin/suexec:
% /usr/sbin/suexc -V
This has not changed between 7.2 and 7.3. The one thing that is odd is that
some web pages I came across while trying to resolve this problem indicate
that setuid scripts can only be located in the 'DOC_ROOT' of suexec, that
is /var/www in this particular case. Perhaps I am missing something, but
this was not a requirement at all in Red Hat 7.2, BackupPC_Admin was
running from a completely different place. So, I am very confused.
Craig will probably suggest that I use the new 'mod_perl', but this
requires accessing your web server over a different port, which I cannot do
for security reasons: I need to administer backuppc remotely over https
(ssl). Opening a new port for backuppc administration would be unsafe.
So, does anybody have an idea what is going on here? Is there a known
problem with setuid and the kernel in Red Hat 7.3? In case this helps, here
is some info on my system:
% uname -a
Linux manuela 2.4.18-18.7.xsmp #1 SMP Wed Nov 13 19:01:42 EST 2002 i686 unknown
% rpm -qa | grep apache
% rpm --query perl
Any help would be greatly appreciated!
From: Luc Vincent <luc@vi...> - 2002-11-28 00:07:37
Well, I have the perl_suidperl RPM installed...
% rpm -qa | grep suidperl
There is something else going on here.
At 04:01 PM 11/27/2002, Toby Johnson wrote:
>You must install the perl_suidperl RPM in order for setuid scripts to work.
From: David Holland <david.holland@3g...> - 2002-11-28 10:18:48
On Wed, Nov 27, 2002 at 03:13:43PM -0800, Luc Vincent wrote:
> I recently upgraded from Red Hat 7.2 to 7.3. I noticed today that this had
> the detrimental effect of breaking suEXEC in apache...
On a related but different note:
I moved BackupPC from a 7.1 box (development/testing) to 8.0
(production) and I had to remove the setuid bit from BackupPC_Admin and
put "SuexecUserGroup backuppc backuppc" in httpd.conf to get things
working. Is that a bodge or the right way to fix it? Certainly it's
working as I'd expect right now.
I also had to manually compile Apache2 because the version that RedHat
distribute doesn't include LDAP support.
:: David Holland :: Systems Manager :: 3G Lab :: +44 01223 478900 ::
Get latest updates about Open Source Projects, Conferences and News.