Hiawatha cgi-wrapper: SUID PROBLEM

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

Hiawatha cgi-wrapper: SUID PROBLEM

Marco Spiga-2
Anyone of you work with hiawatha webserver 6.14 (but I have tryed varius versions) in OpenBSD 4.5 GENERIC i386?
The program cgi-wrapper won't set suid correctly!

I state that the exact same configuration work very fine into
Linux ubuntu with custom kernel 2.6.30 and I move it into OpenBSD 4.5.


# Hiawatha main configuration file
#


# GENERAL SETTINGS
#
ServerId = www-data
ConnectionsTotal = 150
ConnectionsPerIP = 10
SystemLogfile = /var/log/hiawatha/system.log
GarbageLogfile = /var/log/hiawatha/garbage.log


# BINDING SETTINGS
# A binding is where a client can connect to.
#
Binding {
        Port = 80
        Interface = 127.0.0.1
        TimeForRequest = 3,20
}
Binding {
        Port = 80
        Interface = 128.0.0.2
        TimeForRequest = 3,20
}
#

CGIhandler = /usr/bin/perl:pl
CGIextension = cgi
CGIwrapper = /usr/local/sbin/cgi-wrapper
Hostname = 127.0.0.1
WebsiteRoot = /var/www/hiawatha
StartFile = index.html
AccessLogfile = /var/log/hiawatha/access.log
ErrorLogfile = /var/log/hiawatha/error.log
#ErrorHandler = 404:/error.cgi


# VIRTUAL HOSTS
# Use a VirtualHost section to declare the websites you want to host.
#

VirtualHost {
        Hostname = 128.0.0.2
        WebsiteRoot = /var/www/hsools/perl
        StartFile = index.html
        AccessLogfile = /var/www/hsools/log/access.log
        ErrorLogfile = /var/www/hsools/log/error.log
        ExecuteCGI = yes
        RequireSSL = yes
        WrapCGI = hsools
        TimeForCGI = 5
}


# CGI wrapper configuration
#
# Use the 'newroot' tool to copy applications to a chroot directory.

# CGIhandler = /path/to/cgi-handler
#
CGIhandler = /usr/bin/perl

# Wrap = <wrap-id>;<cgiroot>;<userid>[:<group>]
#
Wrap = hsools ; /var/www/hsools ; 1005:1005

$ /usr/local/sbin/wignam
Using /usr/local/etc/hiawatha
Reading httpd.conf
No non-fatal errors found in the Hiawatha configuration.

$ mount
/dev/wd0a on / type ffs (local)
/dev/wd0d on /home type ffs (local, nodev, noexec, nosuid)
/dev/wd0e on /usr type ffs (local, nodev)
/dev/wd0f on /var type ffs (local, nodev, nosuid)
mfs:3856 on /tmp type mfs (local, size=204800 512-blocks)


$ ls -l /var/www
total 12
drwxr-xr-x  2 root   wheel        512 Jun 10 20:17 hiawatha
drwxr-xr-x  6 myacc  hsools  512 Jun 10 15:57 hsools

$ ls -l /var/www/hsools
total 16
drwxr-x--x  2 myacc  hsools  512 Sep  5 13:22 log
drwxr-xr-x  2 myacc  hsools  512 Jun 10 19:35 perl

$ ls -l /var/www/hsools/perl
total 12
-rwxr-xr--  1 myacc  hsools  1090 Jun 10 15:58 index.html
-rwxr-x---  1 myacc  hsools   829 Jun 10 19:35 login_admin.cgi

$ ls -l /usr/local/sbin
total 2552
-rwsr-xr-x  1 root  wheel   57854 Sep  7 11:02 cgi-wrapper
-rwxr-xr-x  1 root  wheel  707955 Sep  7 11:02 hiawatha
-rwxr-xr-x  1 root  wheel    2488 Sep  7 11:02 newroot
-rwxr-xr-x  1 root  wheel   68672 Sep  7 11:02 php-fcgi
-rwxr-xr-x  1 root  wheel   72329 Sep  7 11:02 wigwam


$ cat /var/www/hsools/log/error.log
Mon 07 Sep 2009 10:34:17 +0200|128.0.0.2|/var/www/hsools/perl/login_admin.cgi|access denied via filesystem
Mon 07 Sep 2009 11:42:35 +0200|128.0.0.2|/var/www/hsools/perl/login_admin.cgi|access denied via filesystem
Mon 07 Sep 2009 11:52:10 +0200|128.0.0.2|/var/www/hsools/perl/login_admin.cgi|access denied via filesystem

Why cgi-wrapper don't set correctly suid 'hsools'?

Many Thanks

Marco

Reply | Threaded
Open this post in threaded view
|

Re: Hiawatha cgi-wrapper: SUID PROBLEM

Ian McWilliam-2
Marco Spiga wrote:

> Anyone of you work with hiawatha webserver 6.14 (but I have tryed varius versions) in OpenBSD 4.5 GENERIC i386?
> The program cgi-wrapper won't set suid correctly!
>
> I state that the exact same configuration work very fine into
> Linux ubuntu with custom kernel 2.6.30 and I move it into OpenBSD 4.5.
>
>
> # Hiawatha main configuration file
> #
>
>
> # GENERAL SETTINGS
> #
> ServerId = www-data
> ConnectionsTotal = 150
> ConnectionsPerIP = 10
> SystemLogfile = /var/log/hiawatha/system.log
> GarbageLogfile = /var/log/hiawatha/garbage.log
>
>
> # BINDING SETTINGS
> # A binding is where a client can connect to.
> #
> Binding {
> Port = 80
> Interface = 127.0.0.1
> TimeForRequest = 3,20
> }
> Binding {
> Port = 80
> Interface = 128.0.0.2
> TimeForRequest = 3,20
> }
> #
>
> CGIhandler = /usr/bin/perl:pl
> CGIextension = cgi
> CGIwrapper = /usr/local/sbin/cgi-wrapper
> Hostname = 127.0.0.1
> WebsiteRoot = /var/www/hiawatha
> StartFile = index.html
> AccessLogfile = /var/log/hiawatha/access.log
> ErrorLogfile = /var/log/hiawatha/error.log
> #ErrorHandler = 404:/error.cgi
>
>
> # VIRTUAL HOSTS
> # Use a VirtualHost section to declare the websites you want to host.
> #
>
> VirtualHost {
> Hostname = 128.0.0.2
> WebsiteRoot = /var/www/hsools/perl
> StartFile = index.html
> AccessLogfile = /var/www/hsools/log/access.log
> ErrorLogfile = /var/www/hsools/log/error.log
> ExecuteCGI = yes
> RequireSSL = yes
> WrapCGI = hsools
> TimeForCGI = 5
> }
>
>
> # CGI wrapper configuration
> #
> # Use the 'newroot' tool to copy applications to a chroot directory.
>
> # CGIhandler = /path/to/cgi-handler
> #
> CGIhandler = /usr/bin/perl
>
> # Wrap = <wrap-id>;<cgiroot>;<userid>[:<group>]
> #
> Wrap = hsools ; /var/www/hsools ; 1005:1005
>
> $ /usr/local/sbin/wignam
> Using /usr/local/etc/hiawatha
> Reading httpd.conf
> No non-fatal errors found in the Hiawatha configuration.
>
> $ mount
> /dev/wd0a on / type ffs (local)
> /dev/wd0d on /home type ffs (local, nodev, noexec, nosuid)
> /dev/wd0e on /usr type ffs (local, nodev)
> /dev/wd0f on /var type ffs (local, nodev, nosuid)
> mfs:3856 on /tmp type mfs (local, size=204800 512-blocks)
>
>
> $ ls -l /var/www
> total 12
> drwxr-xr-x  2 root   wheel        512 Jun 10 20:17 hiawatha
> drwxr-xr-x  6 myacc  hsools  512 Jun 10 15:57 hsools
>
> $ ls -l /var/www/hsools
> total 16
> drwxr-x--x  2 myacc  hsools  512 Sep  5 13:22 log
> drwxr-xr-x  2 myacc  hsools  512 Jun 10 19:35 perl
>
> $ ls -l /var/www/hsools/perl
> total 12
> -rwxr-xr--  1 myacc  hsools  1090 Jun 10 15:58 index.html
> -rwxr-x---  1 myacc  hsools   829 Jun 10 19:35 login_admin.cgi
>
> $ ls -l /usr/local/sbin
> total 2552
> -rwsr-xr-x  1 root  wheel   57854 Sep  7 11:02 cgi-wrapper
> -rwxr-xr-x  1 root  wheel  707955 Sep  7 11:02 hiawatha
> -rwxr-xr-x  1 root  wheel    2488 Sep  7 11:02 newroot
> -rwxr-xr-x  1 root  wheel   68672 Sep  7 11:02 php-fcgi
> -rwxr-xr-x  1 root  wheel   72329 Sep  7 11:02 wigwam
>
>
> $ cat /var/www/hsools/log/error.log
> Mon 07 Sep 2009 10:34:17 +0200|128.0.0.2|/var/www/hsools/perl/login_admin.cgi|access denied via filesystem
> Mon 07 Sep 2009 11:42:35 +0200|128.0.0.2|/var/www/hsools/perl/login_admin.cgi|access denied via filesystem
> Mon 07 Sep 2009 11:52:10 +0200|128.0.0.2|/var/www/hsools/perl/login_admin.cgi|access denied via filesystem
>
> Why cgi-wrapper don't set correctly suid 'hsools'?
>
> Many Thanks
>
> Marco
>
>
>
>
>  
Probably your mount options.

/dev/wd0f on /var type ffs (local, nodev, nosuid)

By default OpenBSD will add nosuid to various mount points.

Ian McWilliam

Reply | Threaded
Open this post in threaded view
|

Re: Hiawatha cgi-wrapper: SUID PROBLEM

Marco Spiga-2
On Mon, Sep 07, 2009 at 09:16:05PM +1000, Ian McWilliam wrote:

> Date: Mon, 07 Sep 2009 21:16:05 +1000
> From: Ian McWilliam <[hidden email]>
> Subject: Re: Hiawatha cgi-wrapper: SUID PROBLEM
> To: Marco Spiga <[hidden email]>
> CC: [hidden email]
>
> Marco Spiga wrote:
>> Anyone of you work with hiawatha webserver 6.14 (but I have tryed varius versions) in OpenBSD 4.5 GENERIC i386?
>> The program cgi-wrapper won't set suid correctly!
>>
>> I state that the exact same configuration work very fine into
>> Linux ubuntu with custom kernel 2.6.30 and I move it into OpenBSD 4.5.
>>
>>
>> # Hiawatha main configuration file
>> #
>>
>>
>> # GENERAL SETTINGS
>> #
>> ServerId = www-data
>> ConnectionsTotal = 150
>> ConnectionsPerIP = 10
>> SystemLogfile = /var/log/hiawatha/system.log
>> GarbageLogfile = /var/log/hiawatha/garbage.log
>>
>>
>> # BINDING SETTINGS
>> # A binding is where a client can connect to.
>> #
>> Binding {
>> Port = 80
>> Interface = 127.0.0.1
>> TimeForRequest = 3,20
>> }
>> Binding {
>> Port = 80
>> Interface = 128.0.0.2
>> TimeForRequest = 3,20
>> }
>> #
>>
>> CGIhandler = /usr/bin/perl:pl
>> CGIextension = cgi
>> CGIwrapper = /usr/local/sbin/cgi-wrapper
>> Hostname = 127.0.0.1
>> WebsiteRoot = /var/www/hiawatha
>> StartFile = index.html
>> AccessLogfile = /var/log/hiawatha/access.log
>> ErrorLogfile = /var/log/hiawatha/error.log
>> #ErrorHandler = 404:/error.cgi
>>
>>
>> # VIRTUAL HOSTS
>> # Use a VirtualHost section to declare the websites you want to host.
>> #
>>
>> VirtualHost {
>> Hostname = 128.0.0.2
>> WebsiteRoot = /var/www/hsools/perl
>> StartFile = index.html
>> AccessLogfile = /var/www/hsools/log/access.log
>> ErrorLogfile = /var/www/hsools/log/error.log
>> ExecuteCGI = yes
>> RequireSSL = yes
>> WrapCGI = hsools
>> TimeForCGI = 5
>> }
>>
>>
>> # CGI wrapper configuration
>> #
>> # Use the 'newroot' tool to copy applications to a chroot directory.
>>
>> # CGIhandler = /path/to/cgi-handler
>> #
>> CGIhandler = /usr/bin/perl
>>
>> # Wrap = <wrap-id>;<cgiroot>;<userid>[:<group>]
>> #
>> Wrap = hsools ; /var/www/hsools ; 1005:1005
>>
>> $ /usr/local/sbin/wignam
>> Using /usr/local/etc/hiawatha
>> Reading httpd.conf
>> No non-fatal errors found in the Hiawatha configuration.
>>
>> $ mount
>> /dev/wd0a on / type ffs (local)
>> /dev/wd0d on /home type ffs (local, nodev, noexec, nosuid)
>> /dev/wd0e on /usr type ffs (local, nodev)
>> /dev/wd0f on /var type ffs (local, nodev, nosuid)
>> mfs:3856 on /tmp type mfs (local, size=204800 512-blocks)
>>
>>
>> $ ls -l /var/www
>> total 12
>> drwxr-xr-x  2 root   wheel        512 Jun 10 20:17 hiawatha
>> drwxr-xr-x  6 myacc  hsools  512 Jun 10 15:57 hsools
>>
>> $ ls -l /var/www/hsools
>> total 16
>> drwxr-x--x  2 myacc  hsools  512 Sep  5 13:22 log
>> drwxr-xr-x  2 myacc  hsools  512 Jun 10 19:35 perl
>>
>> $ ls -l /var/www/hsools/perl
>> total 12
>> -rwxr-xr--  1 myacc  hsools  1090 Jun 10 15:58 index.html
>> -rwxr-x---  1 myacc  hsools   829 Jun 10 19:35 login_admin.cgi
>>
>> $ ls -l /usr/local/sbin
>> total 2552
>> -rwsr-xr-x  1 root  wheel   57854 Sep  7 11:02 cgi-wrapper
>> -rwxr-xr-x  1 root  wheel  707955 Sep  7 11:02 hiawatha
>> -rwxr-xr-x  1 root  wheel    2488 Sep  7 11:02 newroot
>> -rwxr-xr-x  1 root  wheel   68672 Sep  7 11:02 php-fcgi
>> -rwxr-xr-x  1 root  wheel   72329 Sep  7 11:02 wigwam
>>
>>
>> $ cat /var/www/hsools/log/error.log
>> Mon 07 Sep 2009 10:34:17 +0200|128.0.0.2|/var/www/hsools/perl/login_admin.cgi|access denied via filesystem
>> Mon 07 Sep 2009 11:42:35 +0200|128.0.0.2|/var/www/hsools/perl/login_admin.cgi|access denied via filesystem
>> Mon 07 Sep 2009 11:52:10 +0200|128.0.0.2|/var/www/hsools/perl/login_admin.cgi|access denied via filesystem
>>
>> Why cgi-wrapper don't set correctly suid 'hsools'?
>>
>> Many Thanks
>>
>> Marco
>>
>>
>>
>>
>>  
> Probably your mount options.
>
> /dev/wd0f on /var type ffs (local, nodev, nosuid)
>
> By default OpenBSD will add nosuid to various mount points.
>
> Ian McWilliam


Hi Ian, I have already tried this option but without any solution :-(

--
                                !!!!! Messaggio da Marco !!!!!