Bug: testenv script should check effective uid with getpwuid($>) not "real" uid

Apache launches the httpd process as root, then swaps the effective UID as configured. e.g. see httpd.conf:

 #
 # Port: The port to which the standalone server listens. For
 # ports < 1023, you will need httpd to be run as root initially.
 # 
 Port 80
 # If you wish httpd to run as a different user or group, you must run
 # httpd as root initially and it will switch.
 ...
 User www
 Group www

The testenv script for TWiki looks at the real UID, using

 my $usr = lc( getlogin || getpwuid($<) );

This is inappropriate; it should instead look at the effective UID of the httpd process, using

 my $usr = lc( getpwuid($>) ); 

Test case

I modified the testenv script, as:

 my $usr = lc( getlogin || getpwuid($<) );
 my $eusr = lc( getpwuid($>) ); 
 ...
 print "<tr><th align=\"right\">User:</th><td>$usr</td></tr>\n";
 print "<tr><th align=\"right\">Effective User:</th><td>$eusr</td></tr>\n";

The results:

User
root

Effective User: www

I also ran a very simple CGI on my server (it's a printenv script). I added the following code to the script:

 print "<P>\nI am ", `whoami`, " ", `id`, "\n<P>";
 system("touch /tmp/newfile");
 system("ls -al /tmp/newfile");
 unlink("/tmp/newfile");

The results:

I am www uid=80(www) gid=80(www) groups=80(www)

-rw-r--r-- 1 www wheel 0 Jun 1 22:49 /tmp/newfile

testenv claims I am running as user root; I am not; I am running as user www. testenv should be fixed to check the login ID vs the effective user ID and report the euid if the two results differ.

Environment

TWiki version: new, unmodified, TWiki20030201
TWiki plugins: n/a
Server OS: FreeBSD 4.7, Mac OS X Server
Web server: Apache 1.3.27
Perl version: v5.6.1 built for i386-freebsd
Client OS: Mac OS X 10.2.6
Web Browser: Safari or IE 5 (it doesn't matter)

-- VickiBrown - 02 Jun 2003

Follow up

This was reported a while back by email, and fixed in TWikiAlphaRelease - please try the latest CVSget:bin/testenv, where the code looks like this:

# Get web server's user and group info
my $usr = "";
my $grp = "";
if( $OS eq 'UNIX' or ($OS eq 'WINDOWS' and $perltype eq 'Cygwin' ) ) {
 $usr = lc( getpwuid($<) ); # Unix/Cygwin Perl
 foreach( split( " ", $( ) ) {
 my $onegrp = getgrgid( $_ );
 $grp .= " " . lc($onegrp);
 }
} else { # ActiveState or other Win32 Perl
 $usr = lc( getlogin );
 # Try to use Cygwin's 'id' command - may be on the path, since Cygwin
 # is probably installed to supply ls, egrep, etc - if it isn't, give up.
 # Run command without stderr output, to avoid CGI giving error.
 # Get names of primary and other groups.
 $grp = lc(qx(sh -c '( id -un ; id -gn) 2>/dev/null' 2>nul ));
 if ($?) {
 $grp = "[Can't identify groups - no Cygwin 'id' or 'sh' command on path]
";
 }
}

As you can see, getpwuid is now used on all Unix platforms, and getlogin only on non-CygWin Win32 platforms.

-- RichardDonkin - 02 Jun 2003

  • the getlogin will result in root (probably becaus the apache does not use the setlogin(2))
  • the getpwuid($<) ($REAL_USER_ID) will result in www
  • the getpwuid($>) ($EFFECTIVE_USER_ID) will result in www

-- JanRuzicka - 05 Jun 2003

In this case, real = effective - however, if the consensus is that we should be using the effective userid and group, I'll change the code to reflect this. In a SecureSetup using suexec or similar, the effective would differ from real, but I don't have any problems with this on a Linux box that uses suexec with the current code.

-- RichardDonkin - 06 Jun 2003

Fix record

Now fixed in TWikiAlphaRelease. Sorry for the delay, but nobody replied to the above...

-- RichardDonkin - 11 Sep 2003

Edit | Attach | (削除) Watch (削除ここまで) | Print version | History : r8 < r7 < r6 < r5 < r4 | Backlinks | Raw View | Raw edit | More topic actions
Topic revision: r8 - 2003年12月17日 - PeterThoeny
This site is powered by the TWiki collaboration platform Powered by Perl Hosted by OICcam.com Ideas, requests, problems regarding TWiki? Send feedback. Ask community in the support forum.
Copyright © 1999-2026 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.

AltStyle によって変換されたページ (->オリジナル) /