Brian Capouch
2005-Apr-28 21:43 UTC
[Asterisk-Users] vmail.cgi: -rwsr-sr-x as root *still* won't read the files
I'm running Apache as "nobody." Wondering why the SUID vmail.cgi script still can't read my files; it comes with the bits set SUID, which I thought would do the trick. It works just fine if I make the files in the maildir world-readable. Thanks. No clues in the archives no Wiki that appear germane. B.
mike castleman
2005-Apr-28 21:58 UTC
[Asterisk-Users] vmail.cgi: -rwsr-sr-x as root *still* won't read the files
Try making sure you have installed the suid perl stuff if your OS needs it. Some kernels do not natively obey the setuid flag when executing scripts (On Debian, this involves installing the perl-suid package. Other Linux-based distributions probably need something similar.) On Thu, Apr 28, 2005 at 11:43:57PM -0500, Brian Capouch wrote:> I'm running Apache as "nobody." Wondering why the SUID vmail.cgi script > still can't read my files; it comes with the bits set SUID, which I > thought would do the trick. > > It works just fine if I make the files in the maildir world-readable. > > Thanks. No clues in the archives no Wiki that appear germane. > > B.-- mike castleman network / systems administrator democracy now! mailto:mlc@democracynow.org tel:+1-212-431-9090 (office) -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: Digital signature Url : http://lists.digium.com/pipermail/asterisk-users/attachments/20050428/6df58427/attachment.pgp
Tzafrir Cohen
2005-May-01 08:37 UTC
[Asterisk-Users] vmail.cgi: -rwsr-sr-x as root *still* won't read the files
On Thu, Apr 28, 2005 at 11:43:57PM -0500, Brian Capouch wrote:> I'm running Apache as "nobody." Wondering why the SUID vmail.cgi script > still can't read my files; it comes with the bits set SUID, which I > thought would do the trick. > > It works just fine if I make the files in the maildir world-readable. > > Thanks. No clues in the archives no Wiki that appear germane.apache's suexec will not run suid scripts. It will also not run scripts as root. It has a strict checklist (specified in its docs) that it checks the target script before exeecuting it. If the script fails one of those requirements, you'll see a note in suexec's logs. Linux in general will not run SUID scripts (executables whose magic is '#!') as some race conditions will allow you to abuse this to run arbitrary command as the target user. Anyway, asterisk should not be running as root. It should be running under its own, separate user. That's what the switch -U is for. And now you only have to find a way to run that script as that asterisk user. -- Tzafrir Cohen | tzafrir@jbr.cohens.org.il | VIM is http://tzafrir.org.il | | a Mutt's tzafrir@cohens.org.il | | best ICQ# 16849755 | | friend