This is the mail archive of the cygwin-apps@cygwin.com mailing list for the Cygwin project.


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

Re: apache-1.3.22-4 no-detach patch


On Sun, Jan 20, 2002 at 05:31:40PM +0100, Stipe Tolj wrote:
> Please grap 
> 
>   apache-1.3.22-3.tar.bz2
>   apache-1.3.22-4-no-detach.tar.bz2 
> 
> from http://apache.dev.wapme.net/support/apache-cygwin/ and replace
> the files in -4 with those of -3 for testing.

That works nicely.  Just one problem left, though.

In /etc/apache/httpd.conf I've set User to `Guest' (uid 501).
The apache service is started under SYSTEM account.  When
looking into the process list you can see:

      PID    PPID    PGID     WINPID  TTY  UID    STIME COMMAND
      196       1     196        196    ?   18 10:53:42 /usr/bin/cygrunsrv
     2504     196    2504       3740    ?   18 10:53:42 /usr/sbin/httpd
     4012    2504    2504       4012    ?   18 10:53:43 /usr/sbin/httpd

It's ok that the service process is running under SYSTEM (uid 18)
account but the server process should have switched to the Guest
account (uid 501) like that:

      PID    PPID    PGID     WINPID  TTY  UID    STIME COMMAND
      196       1     196        196    ?   18 10:53:42 /usr/bin/cygrunsrv
     2504     196    2504       3740    ?   18 10:53:42 /usr/sbin/httpd
     4012    2504    2504       4012    ?  501 10:53:43 /usr/sbin/httpd

This would be the same as in Linux then, where the service is
started under root but the server runs under some nobody account.

Is the setuid() switched off in the Cygwin version???  That's
somewhat dangerous, actually.  That way it's impossible to
run the server under an account with as few rights as possible.
Example Guest account:  The machine would have to give "Start
as a service" user right to the Guest account.  Uh, wait a
minute...

*dig, dig, dig*

Ok, as far as I can see, the problem is line 4136f. in http_main.c:

    /* Only try to switch if we're running as root */
    if (!geteuid() && (

That could get changed to (just a draft):

  #ifdef CYGWIN
    /* Only try to switch if we're running as SYSTEM */
    #define SYSTEM_UID 18
    if (geteuid() == SYSTEM_UID && (
  #else
    /* Only try to switch if we're running as root */
    if (!geteuid() && (
  #endif

Or is that the stuff in line 5375f.?  I'm not quite sure.

> Be aware to have
> 
>   $ chown SYETEM /var/log/apache
> 
> otherwise you won't get going.

Could you call that `chown' in your /etc/postinstall script?

> I'll ask the Apache guys if a OS-wide flag may be introduced.
> Otherwise, I will provide them a patch for the Cygwin specific flag.

That would of course be the best solution.  However, except for the
setuid() problem  and the postinstall one-liner we can go with it as
it is for now.

Thanks,
Corinna

-- 
Corinna Vinschen                  Please, send mails regarding Cygwin to
Cygwin Developer                                mailto:cygwin@cygwin.com
Red Hat, Inc.


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]