suexec: disabled; invalid wrapper /usr/sbin/suexec

classic Classic list List threaded Threaded
8 messages Options
Reply | Threaded
Open this post in threaded view
|

suexec: disabled; invalid wrapper /usr/sbin/suexec

Lars D. Noodén
Listing the modules in Apache/1.3.29 (4.4-current base, i386 snapshot
from 29 Aug) gives a warning regarding suexec.

Regards
-Lars

# httpd -l
Compiled-in modules:
  http_core.c
  mod_env.c
  . . .
  mod_ssl.c
suexec: disabled; invalid wrapper /usr/sbin/suexec

Reply | Threaded
Open this post in threaded view
|

Re: suexec: disabled; invalid wrapper /usr/sbin/suexec

Jeremy Huiskamp-3
On 31-Aug-08, at 3:21 PM, Lars Noodin wrote:

> Listing the modules in Apache/1.3.29 (4.4-current base, i386 snapshot
> from 29 Aug) gives a warning regarding suexec.
>
> Regards
> -Lars
>
> # httpd -l
> Compiled-in modules:
>   http_core.c
>   mod_env.c
>   . . .
>   mod_ssl.c
> suexec: disabled; invalid wrapper /usr/sbin/suexec
>

Did you read suexec(8)?

Reply | Threaded
Open this post in threaded view
|

Re: suexec: disabled; invalid wrapper /usr/sbin/suexec

Lars D. Noodén
Jeremy Huiskamp wrote:
>> suexec: disabled; invalid wrapper /usr/sbin/suexec
>
> Did you read suexec(8)?

I expect you mean this?

        "Because this program is only used internally by httpd(8),
        there are no other ways to directly invoke suexec."

No. I was looking at mod_perl and have no plans in the near future to
try suexec.  The error makes some sense in the context above.

Regards
-Lars

Reply | Threaded
Open this post in threaded view
|

Re: suexec: disabled; invalid wrapper /usr/sbin/suexec

Jeremy Huiskamp-3
On 1-Sep-08, at 3:17 AM, Lars Noodin wrote:

> Jeremy Huiskamp wrote:
>>> suexec: disabled; invalid wrapper /usr/sbin/suexec
>>
>> Did you read suexec(8)?
>
> I expect you mean this?
>
> "Because this program is only used internally by httpd(8),
> there are no other ways to directly invoke suexec."
>
> No. I was looking at mod_perl and have no plans in the near future to
> try suexec.  The error makes some sense in the context above.
>
> Regards
> -Lars
>

No, I meant this:
"In order to work correctly, the suexec binary should be owned by
``root''
and have the SETUID execution bit set.  OpenBSD currently does not in-
stall suexec with the SETUID bit set, so a change of file mode is neces-
sary to enable it..."

Reply | Threaded
Open this post in threaded view
|

Re: suexec: disabled; invalid wrapper /usr/sbin/suexec

Lars D. Noodén
Jeremy Huiskamp wrote:

> No, I meant this:
> "In order to work correctly, the suexec binary should be owned by
> ``root''
> and have the SETUID execution bit set.  OpenBSD currently does not in-
> stall suexec with the SETUID bit set, so a change of file mode is neces-
> sary to enable it..."

Thanks.

Interesting.  I thought SUID-root scripts were vulnerable to race
condition-based vulnerabilities, among other things.  Is that also the
case for OpenBSD?  If not, why?

Alternately, how lame would it be to have one suexec per suexec-user and
have each copy owned by that user?  That would at least avoid having it
operate as root.

Regards,
-Lars

Reply | Threaded
Open this post in threaded view
|

Re: suexec: disabled; invalid wrapper /usr/sbin/suexec

John Wright-6
In reply to this post by Lars D. Noodén
On Mon, Sep 01, 2008 at 10:17:34AM +0300, Lars Nood??n wrote:
> Jeremy Huiskamp wrote:
> >> suexec: disabled; invalid wrapper /usr/sbin/suexec
> >
> > Did you read suexec(8)?
>
> I expect you mean this?
>
> "Because this program is only used internally by httpd(8),
> there are no other ways to directly invoke suexec."

No.  The next paragraph.

Reply | Threaded
Open this post in threaded view
|

Re: suexec: disabled; invalid wrapper /usr/sbin/suexec

Henning Brauer
In reply to this post by Lars D. Noodén
* Lars Noodin <[hidden email]> [2008-09-01 10:05]:

> Jeremy Huiskamp wrote:
>
> > No, I meant this:
> > "In order to work correctly, the suexec binary should be owned by
> > ``root''
> > and have the SETUID execution bit set.  OpenBSD currently does not in-
> > stall suexec with the SETUID bit set, so a change of file mode is neces-
> > sary to enable it..."
>
> Thanks.
>
> Interesting.  I thought SUID-root scripts were vulnerable to race
> condition-based vulnerabilities, among other things.  Is that also the
> case for OpenBSD?  If not, why?

<brahe@nudo>  $ file /usr/sbin/suexec    
/usr/sbin/suexec: ELF 64-bit MSB executable, SPARC64, version 1, for
OpenBSD, dynamically linked (uses shared libs), stripped

-> not a script.

> Alternately, how lame would it be to have one suexec per suexec-user and
> have each copy owned by that user?  That would at least avoid having it
> operate as root.

oh holy root, must be avoided at any cost, right.

go read suexec code. even docs would be a good start.

first thing it does after being invoked is dropping privileges to the
target user account.


--
Henning Brauer, [hidden email], [hidden email]
BS Web Services, http://bsws.de
Full-Service ISP - Secure Hosting, Mail and DNS Services
Dedicated Servers, Rootservers, Application Hosting - Hamburg & Amsterdam

Reply | Threaded
Open this post in threaded view
|

Re: suexec: disabled; invalid wrapper /usr/sbin/suexec

Hannah Schroeter
In reply to this post by Jeremy Huiskamp-3
Hi!

On Sun, Aug 31, 2008 at 05:01:20PM -0400, Jeremy Huiskamp wrote:

>Did you read suexec(8)?

Wouldn't one also need to copy over the suexec binary to the chroot for
chrooted httpds, nowadays? That isn't mentioned in the suexec(8) manual
page.

Kind regards,

Hannah.