Package: libapache2-mpm-itk Version: 2.4.6-01-1 Severity: normal I use mpm-itk to run a git server over HTTPS with Kerberos authentication. I want to drop privileges to the user based on the URL, and to the group www-data, since that group has privileges to read the relevant keytab file.
The appropriate block then forces authentication and invokes a setuid wrapper that changes the user's group (to avoid user-controlled hooks running with group www-data) and invokes git. With the earlier versions of the patch, I simply used: AssignUserID bmc www-data but this doesn't work anymore, and I get: [Fri Jan 10 01:54:53.149064 2014] [mpm_itk:warn] [pid 953168] (itkmpm: pid=953168 uid=1000, gid=33) itk_post_perdir_config(): initgroups(www-data, 33): Operation not permitted [Fri Jan 10 01:54:53.149159 2014] [mpm_itk:warn] [pid 953168] Couldn't set uid/gid/priority, closing connection. Note the attempt to call initgroups with the wrong username, which won't work when uid == 1000 (bmc). The git process then hangs, since a connection can never be completed. It works if I use AssignUserID bmc bmc, but then authentication fails, and I can't push. Also, while you're at it, there's a typo on line 338: you mean to say wanted_groupname, not wanted_username. -- System Information: Debian Release: jessie/sid APT prefers unstable APT policy: (500, 'unstable'), (1, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 3.12-1-amd64 (SMP w/4 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash -- brian m. carlson / brian with sandals: Houston, Texas, US +1 832 623 2791 | http://www.crustytoothpaste.net/~bmc | My opinion only OpenPGP: RSA v4 4096b: 88AC E9B2 9196 305B A994 7552 F1BA 225C 0223 B187
signature.asc
Description: Digital signature
