RE: Suexec: cannot run as forbidden guid

From: Ryan Golhar (
Date: 04/04/04

  • Next message: Link King: "Dell Inspiron 9100, RH 9.0 & XFree86"
    To: <>, "'General Red Hat Linux discussion list'" <>
    Date: Sun, 4 Apr 2004 11:58:44 -0400

    Thanks Cameron. I thought about this for a while. I didn't want to
    make any source modifications in case there was an update and overwrote
    my changes.

    In any case, I ended up changing the GID of users from 100 to 500 in
    /etc/groups and changed the user's default group in /etc/passwd from 100
    to 500 and reset the ownerships on their files. Everything seems to be
    working now.

    Its odd because the scripts in /var/www/cgi-bin can be owned by anyone
    and run so that pretty much does away with the security precautions...

    Ryan Golhar
    Computational Biologist
    The Informatics Institute at
    The University of Medicine & Dentistry of NJ

    Phone: 973-972-5034
    Fax: 973-972-7412

    -----Original Message-----
    From: Cameron Simpson []
    Sent: Sunday, April 04, 2004 4:56 AM
    To:; General Red Hat Linux discussion list
    Subject: Re: Suexec: cannot run as forbidden guid

    On 22:37 01 Apr 2004, Ryan Golhar <> wrote:
    | I have RedHat 9 running an a web server for several people. [...] They

    | have their own public_html directories with a cgi-bin directory as
    | well. All the users belong to the group 'users' with the GID of 100.
    | I started getting this error whenever a cgi script to called in the
    | suexec log:
    | Uid: (501/golharam) gid: (100/100) cmd: test.cgi
    | Cannot run as forbidden gid (100/test.cgi)
    | I created a new group called webapps with GID of 500 and chown'd the
    | cgi file to golharam:webapps but still get the error message. I'm not
    | even aware that I set up suexec.

    The Apache shipped with RedHat uses suexec. Which is quite handy.

    Suexec has a large number of sanity checks turned on in it, and one of
    these is a range check on the uid and gid of the script - the intent it
    to refuse to run with ids that are too low on the premise that these are
    usually admin-type ids (print services, etc) and shouldn't be available
    to something as easy to mis-secure as a CGI script.

    For an _internal_ web server (not internet facing) it may be sensible to
    turn off a lot of these checks - at my work place we have several of
    them disabled on the shared internal web server.

    To do this you must recompile the suexec program from source - fetch an
    Apache source matching the version on your web server and build the
    suexec.c program and install it by hand. Think VERY CAREFULLY about any
    checks you turn off and how their absense may be abused.

    | I want the script to run a
    | 'apache' which is what the web server is running as. How can I keep
    | the scripts as apache:apache?

    A better question might be: why do you want this?

    The only time you care about the uid/gid of a CGI script is if it must
    access local data. No local data should be owned by apache - the whole
    point of the apache user is to ensure that CGI scripts and the server in
    general have no special privileges (i.e. can only access publicly
    available file) for security.

    Probably you need to renumber the gid of the group you do want to use,
    whatever it is - probably not "apache" - to an id over 1000.


    Cameron Simpson <> DoD#743
    It is necessary for technical reasons that these warheads be stored with
    the top at the bottom and the bottom at the top. In order that there may
    be no doubt as to which is the top and which is the bottom, for storage
    purposes it will be seen that the bottom of each head has been labelled
    with the word TOP.      - Instructions for storing British nuclear
    redhat-list mailing list

  • Next message: Link King: "Dell Inspiron 9100, RH 9.0 & XFree86"