FedoraThis forum is for the discussion of the Fedora Project.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
now this is a cgi script running from my web server.....i made it 777 and it is owned by root.....what else can i do??? and the same script is running well from my dedicated server....it is my home server where i have problems.
If it is running on the webserver, then it will be running as the server's uid, not root...
Best solution is to change the script so it uses a port greater than 1024. You can also make the script suid root, but this is very bad security wise, and I would not recommend it unless the server is not publically accessable, and you can trust your local users.
that is weird...i just opened the script and looked in it for the error message hoping i might find a clue....but i could not find the message in the cgi script. so it seems this is related to how perl installed in my server. When I installed the system i picked web server configurations and added extra things.
chmod 4755 cgi_script << Is this how it should be done??? Because i tried it but it did not work, in this case the cgi will not work at all. So I changed it back to 755. The file is root:root
Yeah, that's because the error is coming from the kernel...
Yeah, that will make it setuid. Same error message?
Not sure what to tell you. You say it's working fine on a different server, cannot you not compare the configuration with the one that works?
I dont know if it is possible. The other server is controlled by plesk and the system is RH 9. My server at home is Fedora Core 4.
Now when you chmod a cgi script to 4755...are you expecting it to run as any cgi script or not??? because in my case it does not run at all...it should be 755 or 777 to run!!! probably if i can fix this problem and the cgi script executes even if the permission is 4755 this could resolve the problem.
What security problems if it runs in this mode???
and many thnx for the help...i really appreciate that.
Now when you chmod a cgi script to 4755...are you expecting it to run as any cgi script or not??? because in my case it does not run at all...it should be 755 or 777 to run!!! probably if i can fix this problem and the cgi script executes even if the permission is 4755 this could resolve the problem
suid should make the script run as the scripts owner, no matter who runs it, ie: root.
Quote:
What security problems if it runs in this mode???
The fact that it runs as root is a security problem in itself. I don't know what your script does, but if it is exploitable, then the exploiter will have root access to your system! As I mentioned, I heartily recommend _not_ making it suid if your server is available over the internet at large...
You have not given any info on what your cgi script does, but the best solution to your problem is to edit the script and see if you cannot make it use a port greater than 1024. If you can do this, then the socket call does not require root privileges.
As for the script not running when suid, perhaps this is the problem:
Code:
# This `suexec` module provides the ability to exeucte CGI scripts under
# a different user than apache is run.
#
LoadModule suexec_module modules/mod_suexec.so
Perhaps you don't have this apache module loaded, in which case the script will not run suid...
Is it OK to assume that a vulnerability will occur only if the cgi is not known...like if a user asked me to make his script root. But for a script like the one i'm using where we know everything about it....it will be OK to make it root????
Let me start by saying.....ThAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAnk yOuuuuuuuuuu for all the explanation....i learned a lot from the discussion with you.
The solution of the problem was by turning off the SELinux protection for httpd daemon!!!!!!
Can you explain what the hell is that thing?!!!! Is it important??? Shall I turn it off for the rest??? I got the idea by looking at stanton-finley tutorial.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.