Tags:
create new tag
view all tags

Bug: testenv script should check effective uid with getpwuid($>) not "real" uid

Apache launches the httpd process as root, then swaps the effective UID as configured. e.g. see httpd.conf:

  #
  # Port: The port to which the standalone server listens. For
  # ports < 1023, you will need httpd to be run as root initially.
  # 
  Port 80

  # If you wish httpd to run as a different user or group, you must run
  # httpd as root initially and it will switch.
  ...
  User  www
  Group  www

The testenv script for TWiki looks at the real UID, using

   my $usr = lc( getlogin || getpwuid($<) );

This is inappropriate; it should instead look at the effective UID of the httpd process, using

   my $usr = lc( getpwuid($>) ); 

Test case

I modified the testenv script, as:

  my $usr = lc( getlogin || getpwuid($<) );
  my $eusr = lc( getpwuid($>) );            
  ...
  print "<tr><th align=\"right\">User:</th><td>$usr</td></tr>\n";
  print "<tr><th align=\"right\">Effective User:</th><td>$eusr</td></tr>\n";

The results:

User
root

Effective User: www

I also ran a very simple CGI on my server (it's a printenv script). I added the following code to the script:

    print "<P>\nI am ", `whoami`, " ", `id`, "\n<P>";

    system("touch /tmp/newfile");
    system("ls -al /tmp/newfile");
    unlink("/tmp/newfile");

The results:

I am www uid=80(www) gid=80(www) groups=80(www)

-rw-r--r-- 1 www wheel 0 Jun 1 22:49 /tmp/newfile

testenv claims I am running as user root; I am not; I am running as user www. testenv should be fixed to check the login ID vs the effective user ID and report the euid if the two results differ.

Environment

TWiki version: new, unmodified, TWiki20030201
TWiki plugins: n/a
Server OS: FreeBSD 4.7, Mac OS X Server
Web server: Apache 1.3.27
Perl version: v5.6.1 built for i386-freebsd
Client OS: Mac OS X 10.2.6
Web Browser: Safari or IE 5 (it doesn't matter)

-- VickiBrown - 02 Jun 2003

Follow up

This was reported a while back by email, and fixed in TWikiAlphaRelease - please try the latest CVSget:bin/testenv, where the code looks like this:

# Get web server's user and group info
my $usr = "";
my $grp = "";
if( $OS eq 'UNIX' or  ($OS eq 'WINDOWS' and $perltype eq 'Cygwin' ) ) {
    $usr = lc( getpwuid($<) );          # Unix/Cygwin Perl
    foreach( split( " ", $( ) ) {
        my $onegrp = getgrgid( $_ );
        $grp .= " " . lc($onegrp);
    }

} else {                                # ActiveState or other Win32 Perl
    $usr = lc( getlogin );
    # Try to use Cygwin's 'id' command - may be on the path, since Cygwin
    # is probably installed to supply ls, egrep, etc - if it isn't, give up.
    # Run command without stderr output, to avoid CGI giving error.
    # Get names of primary and other groups.
    $grp = lc(qx(sh -c '( id -un ; id -gn) 2>/dev/null' 2>nul ));
    if ($?) {
        $grp = "[Can't identify groups - no Cygwin 'id' or 'sh' command on path]
";
    }
}

As you can see, getpwuid is now used on all Unix platforms, and getlogin only on non-CygWin Win32 platforms.

-- RichardDonkin - 02 Jun 2003

  • the getlogin will result in root (probably becaus the apache does not use the setlogin(2))
  • the getpwuid($<) ($REAL_USER_ID) will result in www
  • the getpwuid($>) ($EFFECTIVE_USER_ID) will result in www

-- JanRuzicka - 05 Jun 2003

In this case, real = effective - however, if the consensus is that we should be using the effective userid and group, I'll change the code to reflect this. In a SecureSetup using suexec or similar, the effective would differ from real, but I don't have any problems with this on a Linux box that uses suexec with the current code.

-- RichardDonkin - 06 Jun 2003

Fix record

Now fixed in TWikiAlphaRelease. Sorry for the delay, but nobody replied to the above...

-- RichardDonkin - 11 Sep 2003

Edit | Attach | Watch | Print version | History: r8 < r7 < r6 < r5 < r4 | Backlinks | Raw View | Raw edit | More topic actions
Topic revision: r8 - 2003-12-17 - PeterThoeny
 
  • Learn about TWiki  
  • Download TWiki
This site is powered by the TWiki collaboration platform Powered by Perl Hosted by OICcam.com Ideas, requests, problems regarding TWiki? Send feedback. Ask community in the support forum.
Copyright © 1999-2024 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.