LISTSERV - HP3000-L Archives

HP3000-L Archives

June 2001, Week 3

HP3000-L@RAVEN.UTC.EDU

	LISTSERV Archives
	HP3000-L Home
	HP3000-L June 2001, Week 3

	Log In
	Register

	Subscribe or Unsubscribe

	Search Archives

Options:	Use Monospaced Font Show Text Part by Default Show All Mail Headers
Message:	[<< First] [< Prev] [Next >] [Last >>]
Topic:	[<< First] [< Prev] [Next >] [Last >>]
Author:	[<< First] [< Prev] [Next >] [Last >>]

Subject:	Re: Apache & suEXEC : The Saga Continues
From:	Mark Bixby <[log in to unmask]>
Reply To:	Mark Bixby <[log in to unmask]>
Date:	Wed, 20 Jun 2001 11:47:56 -0700
Content-Type:	text/plain
Parts/Attachments:	text/plain (72 lines)

Curtis Larsen wrote:
>
> Ok, after a few days of (much-needed) R&R and task re-re-deployment, I
> find myself in front of the Apache code again.  I've got Apache
> re-compiling happy each time, but it never sees suexec -- at least it
> doesn't say so in the httpd_log like the docs sez it should.  When I run
> suexec manually, it runs fine, but places an entry in it's log saying
> someone is running it without any parms, and quits.
>
> So I have two working programs -- which is pretty cool in and of itself
> -- they're just not working together.  I've changed the "sbin" location
> setting so that suexec gets created in /APACHE/PUB, but I can't seem to
> get it to create it in all UPpercase.  Based on what I've learned thus
> far, I'll need to do that in order to have the Apache code run &
> recognize the suexec program in MPE namespace, since suexec will need
> "PM" to run correctly.
>
> So -- almost there, but not quite.  Can someone suggest where I need to
> modify the code to build an MPE namespace file?  I tried using a
> symlink, but Apache was too smart for that -- it wants a "real" filename
> (or perhaps a hard link, but of course that's not possible) to call.

The name of the suexec binary is controlled by the SUEXEC_BIN define.  To put
this in MPE namespace, you will have to override SUEXEC_BIN at compile time:

-DSUEXEC_BIN=/APACHE/PUB/SUEXEC

Then create/copy/rename/etc the suexec binary as /APACHE/PUB/SUEXEC.

I don't think symlinks are what's being forbidden; in src/main/http_main.c we
have:

/* check to see if we have the 'suexec' setuid wrapper installed */
static int init_suexec(void)
{
    int result = 0;

#if !defined(WIN32) && !defined(NETWARE)
    struct stat wrapper;

    if ((stat(SUEXEC_BIN, &wrapper)) != 0) {
        result = 0;
    }
    else if ((wrapper.st_mode & S_ISUID) && (wrapper.st_uid == 0)) {
        result = 1;
    }
#endif /* ndef WIN32 */
    return result;
}

If the SUEXEC_BIN file does not exist, this function returns 0.

If it does exist, and the setuid bit is set (chmod u+s), and the owner UID is
0, then this function returns 1, which apparently denotes success.

MPE lacks setuid 0, that's why you'll be using GETPRIVMODE instead.  So that
check in init_suexec isn't really valid for MPE, and I'd modify it to be:

    else
#ifndef MPE
if ((wrapper.st_mode & S_ISUID) && (wrapper.st_uid == 0))
#endif
    {
        result = 1;
    }
--
[log in to unmask]
Remainder of .sig suppressed to conserve scarce California electrons...

* To join/leave the list, search archives, change list settings, *
* etc., please visit http://raven.utc.edu/archives/hp3000-l.html *

ATOM RSS1 RSS2

RAVEN.UTC.EDU