RE: Suexec: cannot run as forbidden guid
From: Ryan Golhar (ryangolhar_at_verizon.net)
To: <firstname.lastname@example.org>, "'General Red Hat Linux discussion list'" <email@example.com> Date: Sun, 4 Apr 2004 11:58:44 -0400
Thanks Cameron. I thought about this for a while. I didn't want to
make any source modifications in case there was an update and overwrote
In any case, I ended up changing the GID of users from 100 to 500 in
/etc/groups and changed the user's default group in /etc/passwd from 100
to 500 and reset the ownerships on their files. Everything seems to be
Its odd because the scripts in /var/www/cgi-bin can be owned by anyone
and run so that pretty much does away with the security precautions...
The Informatics Institute at
The University of Medicine & Dentistry of NJ
From: Cameron Simpson [mailto:firstname.lastname@example.org]
Sent: Sunday, April 04, 2004 4:56 AM
To: email@example.com; General Red Hat Linux discussion list
Subject: Re: Suexec: cannot run as forbidden guid
On 22:37 01 Apr 2004, Ryan Golhar <firstname.lastname@example.org> wrote:
| I have RedHat 9 running an a web server for several people. [...] They
| have their own public_html directories with a cgi-bin directory as
| well. All the users belong to the group 'users' with the GID of 100.
| I started getting this error whenever a cgi script to called in the
| suexec log:
| Uid: (501/golharam) gid: (100/100) cmd: test.cgi
| Cannot run as forbidden gid (100/test.cgi)
| I created a new group called webapps with GID of 500 and chown'd the
| cgi file to golharam:webapps but still get the error message. I'm not
| even aware that I set up suexec.
The Apache shipped with RedHat uses suexec. Which is quite handy.
Suexec has a large number of sanity checks turned on in it, and one of
these is a range check on the uid and gid of the script - the intent it
to refuse to run with ids that are too low on the premise that these are
usually admin-type ids (print services, etc) and shouldn't be available
to something as easy to mis-secure as a CGI script.
For an _internal_ web server (not internet facing) it may be sensible to
turn off a lot of these checks - at my work place we have several of
them disabled on the shared internal web server.
To do this you must recompile the suexec program from source - fetch an
Apache source matching the version on your web server and build the
suexec.c program and install it by hand. Think VERY CAREFULLY about any
checks you turn off and how their absense may be abused.
| I want the script to run a
| 'apache' which is what the web server is running as. How can I keep
| the scripts as apache:apache?
A better question might be: why do you want this?
The only time you care about the uid/gid of a CGI script is if it must
access local data. No local data should be owned by apache - the whole
point of the apache user is to ensure that CGI scripts and the server in
general have no special privileges (i.e. can only access publicly
available file) for security.
Probably you need to renumber the gid of the group you do want to use,
whatever it is - probably not "apache" - to an id over 1000.
-- Cameron Simpson <email@example.com> DoD#743 http://www.cskk.ezoshosting.com/cs/ It is necessary for technical reasons that these warheads be stored with the top at the bottom and the bottom at the top. In order that there may be no doubt as to which is the top and which is the bottom, for storage purposes it will be seen that the bottom of each head has been labelled with the word TOP. - Instructions for storing British nuclear warheads -- redhat-list mailing list unsubscribe mailto:firstname.lastname@example.org?subject=unsubscribe https://www.redhat.com/mailman/listinfo/redhat-list