On Mon, Sep 07, 2009 at 09:16:05PM +1000, Ian McWilliam wrote:
> Date: Mon, 07 Sep 2009 21:16:05 +1000
> From: Ian McWilliam <kaosa...@tpg.com.au>
> Subject: Re: Hiawatha cgi-wrapper: SUID PROBLEM
> To: Marco Spiga <ctx...@gmail.com>
> CC: ports@openbsd.org
>
> Marco Spiga wrote:
>> Anyone of you work with hiawatha webserver 6.14 (but I have tryed varius
>> versions) in OpenBSD 4.5 GENERIC i386?
>> The program cgi-wrapper won't set suid correctly!
>>
>> I state that the exact same configuration work very fine into
>> Linux ubuntu with custom kernel 2.6.30 and I move it into OpenBSD 4.5.
>>
>>
>> # Hiawatha main configuration file
>> #
>>
>>
>> # GENERAL SETTINGS
>> #
>> ServerId = www-data
>> ConnectionsTotal = 150
>> ConnectionsPerIP = 10
>> SystemLogfile = /var/log/hiawatha/system.log
>> GarbageLogfile = /var/log/hiawatha/garbage.log
>>
>>
>> # BINDING SETTINGS
>> # A binding is where a client can connect to.
>> #
>> Binding {
>> Port = 80
>> Interface = 127.0.0.1
>> TimeForRequest = 3,20
>> }
>> Binding {
>> Port = 80
>> Interface = 128.0.0.2
>> TimeForRequest = 3,20
>> }
>> #
>>
>> CGIhandler = /usr/bin/perl:pl
>> CGIextension = cgi
>> CGIwrapper = /usr/local/sbin/cgi-wrapper
>> Hostname = 127.0.0.1
>> WebsiteRoot = /var/www/hiawatha
>> StartFile = index.html
>> AccessLogfile = /var/log/hiawatha/access.log
>> ErrorLogfile = /var/log/hiawatha/error.log
>> #ErrorHandler = 404:/error.cgi
>>
>>
>> # VIRTUAL HOSTS
>> # Use a VirtualHost section to declare the websites you want to host.
>> #
>>
>> VirtualHost {
>> Hostname = 128.0.0.2
>> WebsiteRoot = /var/www/hsools/perl
>> StartFile = index.html
>> AccessLogfile = /var/www/hsools/log/access.log
>> ErrorLogfile = /var/www/hsools/log/error.log
>> ExecuteCGI = yes
>> RequireSSL = yes
>> WrapCGI = hsools
>> TimeForCGI = 5
>> }
>>
>>
>> # CGI wrapper configuration
>> #
>> # Use the 'newroot' tool to copy applications to a chroot directory.
>>
>> # CGIhandler = /path/to/cgi-handler
>> #
>> CGIhandler = /usr/bin/perl
>>
>> # Wrap = <wrap-id>;<cgiroot>;<userid>[:<group>]
>> #
>> Wrap = hsools ; /var/www/hsools ; 1005:1005
>>
>> $ /usr/local/sbin/wignam
>> Using /usr/local/etc/hiawatha
>> Reading httpd.conf
>> No non-fatal errors found in the Hiawatha configuration.
>>
>> $ mount
>> /dev/wd0a on / type ffs (local)
>> /dev/wd0d on /home type ffs (local, nodev, noexec, nosuid)
>> /dev/wd0e on /usr type ffs (local, nodev)
>> /dev/wd0f on /var type ffs (local, nodev, nosuid)
>> mfs:3856 on /tmp type mfs (local, size=204800 512-blocks)
>>
>>
>> $ ls -l /var/www
>> total 12
>> drwxr-xr-x 2 root wheel 512 Jun 10 20:17 hiawatha
>> drwxr-xr-x 6 myacc hsools 512 Jun 10 15:57 hsools
>>
>> $ ls -l /var/www/hsools
>> total 16
>> drwxr-x--x 2 myacc hsools 512 Sep 5 13:22 log
>> drwxr-xr-x 2 myacc hsools 512 Jun 10 19:35 perl
>>
>> $ ls -l /var/www/hsools/perl
>> total 12
>> -rwxr-xr-- 1 myacc hsools 1090 Jun 10 15:58 index.html
>> -rwxr-x--- 1 myacc hsools 829 Jun 10 19:35 login_admin.cgi
>>
>> $ ls -l /usr/local/sbin
>> total 2552
>> -rwsr-xr-x 1 root wheel 57854 Sep 7 11:02 cgi-wrapper
>> -rwxr-xr-x 1 root wheel 707955 Sep 7 11:02 hiawatha
>> -rwxr-xr-x 1 root wheel 2488 Sep 7 11:02 newroot
>> -rwxr-xr-x 1 root wheel 68672 Sep 7 11:02 php-fcgi
>> -rwxr-xr-x 1 root wheel 72329 Sep 7 11:02 wigwam
>>
>>
>> $ cat /var/www/hsools/log/error.log
>> Mon 07 Sep 2009 10:34:17
>> +0200|128.0.0.2|/var/www/hsools/perl/login_admin.cgi|access denied via
>> filesystem
>> Mon 07 Sep 2009 11:42:35
>> +0200|128.0.0.2|/var/www/hsools/perl/login_admin.cgi|access denied via
>> filesystem
>> Mon 07 Sep 2009 11:52:10
>> +0200|128.0.0.2|/var/www/hsools/perl/login_admin.cgi|access denied via
>> filesystem
>>
>> Why cgi-wrapper don't set correctly suid 'hsools'?
>>
>> Many Thanks
>>
>> Marco
>>
>>
>>
>>
>>
> Probably your mount options.
>
> /dev/wd0f on /var type ffs (local, nodev, nosuid)
>
> By default OpenBSD will add nosuid to various mount points.
>
> Ian McWilliam
Hi Ian, I have already tried this option but without any solution :-(
--
!!!!! Messaggio da Marco !!!!!
