Bug: testenv script should check effective uid with getpwuid($>) not "real" uid
Apache launches the httpd process as root, then swaps the effective UID as configured.
e.g. see httpd.conf:
#
# Port: The port to which the standalone server listens. For
# ports < 1023, you will need httpd to be run as root initially.
#
Port 80
# If you wish httpd to run as a different user or group, you must run
# httpd as root initially and it will switch.
...
User www
Group www
The testenv script for TWiki looks at the
real UID, using
my $usr = lc( getlogin || getpwuid($<) );
This is inappropriate; it should instead look at the effective UID of the httpd process, using
my $usr = lc( getpwuid($>) );
Test case
I modified the testenv script, as:
my $usr = lc( getlogin || getpwuid($<) );
my $eusr = lc( getpwuid($>) );
...
print "<tr><th align=\"right\">User:</th><td>$usr</td></tr>\n";
print "<tr><th align=\"right\">Effective User:</th><td>$eusr</td></tr>\n";
The results:
- User
- root
Effective User: www
I also ran a very simple
CGI on my server (it's a printenv script). I added the following code to the script:
print "<P>\nI am ", `whoami`, " ", `id`, "\n<P>";
system("touch /tmp/newfile");
system("ls -al /tmp/newfile");
unlink("/tmp/newfile");
The results:
I am www uid=80(www) gid=80(www) groups=80(www)
-rw-r--r-- 1 www wheel 0 Jun 1 22:49 /tmp/newfile
testenv claims I am running as user root; I am not; I am running as user www.
testenv should be fixed to check the login ID vs the effective user ID and report the euid
if the two results differ.
Environment
TWiki version: |
new, unmodified, TWiki20030201 |
TWiki plugins: |
n/a |
Server OS: |
FreeBSD 4.7, Mac OS X Server |
Web server: |
Apache 1.3.27 |
Perl version: |
v5.6.1 built for i386-freebsd |
Client OS: |
Mac OS X 10.2.6 |
Web Browser: |
Safari or IE 5 (it doesn't matter) |
--
VickiBrown - 02 Jun 2003
Follow up
This was reported a while back by email, and fixed in
TWikiAlphaRelease - please try the latest
CVSget:bin/testenv, where the code looks like this:
# Get web server's user and group info
my $usr = "";
my $grp = "";
if( $OS eq 'UNIX' or ($OS eq 'WINDOWS' and $perltype eq 'Cygwin' ) ) {
$usr = lc( getpwuid($<) ); # Unix/Cygwin Perl
foreach( split( " ", $( ) ) {
my $onegrp = getgrgid( $_ );
$grp .= " " . lc($onegrp);
}
} else { # ActiveState or other Win32 Perl
$usr = lc( getlogin );
# Try to use Cygwin's 'id' command - may be on the path, since Cygwin
# is probably installed to supply ls, egrep, etc - if it isn't, give up.
# Run command without stderr output, to avoid CGI giving error.
# Get names of primary and other groups.
$grp = lc(qx(sh -c '( id -un ; id -gn) 2>/dev/null' 2>nul ));
if ($?) {
$grp = "[Can't identify groups - no Cygwin 'id' or 'sh' command on path]
";
}
}
As you can see,
getpwuid
is now used on all Unix platforms, and
getlogin
only on non-CygWin Win32 platforms.
--
RichardDonkin - 02 Jun 2003
- the
getlogin
will result in root (probably becaus the apache does not use the setlogin(2)
)
- the
getpwuid($<)
($REAL_USER_ID
) will result in www
- the
getpwuid($>)
($EFFECTIVE_USER_ID
) will result in www
--
JanRuzicka - 05 Jun 2003
In this case, real = effective - however, if the consensus is that we should be using the effective userid and group, I'll change the code to reflect this. In a
SecureSetup using
suexec
or similar, the effective would differ from real, but I don't have any problems with this on a Linux box that uses
suexec
with the current code.
--
RichardDonkin - 06 Jun 2003
Fix record
Now fixed in
TWikiAlphaRelease. Sorry for the delay, but nobody replied to the above...
--
RichardDonkin - 11 Sep 2003