Project

General

Profile

Bug #2374

lighttpd-1.4.29 cannot execute unreadable CGIs

Added by Hawk777 over 5 years ago. Updated 6 months ago.

Status:
Fixed
Priority:
Normal
Assignee:
-
Category:
-
Target version:
Start date:
2011-12-22
Due date:
% Done:

0%

Missing in 1.5.x:
No

Description

Lighttpd tries to open() the CGI. If this fails with EACCES, the request returns 403. This shouldn't happen: if the request is to be handled by a CGI, it needs to be executable by the Lighttpd user, but there's no reason it should have to be readable. I have an strace if you want, though it's not very informative (just shows open() returning EACCES).

Associated revisions

Revision b9f245f2 (diff)
Added by gstrauss 6 months ago

[mod_cgi] permit CGI exec of unreadable files (fixes #2374)

CGI target might be executable (+x), but not readable (-r)

x-ref:
"lighttpd-1.4.29 cannot execute unreadable CGIs"
https://redmine.lighttpd.net/issues/2374

History

#1 Updated by Hawk777 over 5 years ago

I neglected to mention this in my initial report, but the CGI in question is an ELF and can be executed without issue from bash running as the Lighttpd user account.

#2 Updated by darix over 5 years ago

  • Status changed from New to Invalid

you need read permission to execute a file.

#3 Updated by Hawk777 about 5 years ago

  • Status changed from Invalid to Reopened

No you don't. Please try this for yourself if you don't believe me:

$ cat test.c
#include <stdio.h>
int main(void) {
puts("Hello World");
return 0;
}

$ gcc -otest test.c
$ chmod 0111 test
$ ./test
Hello World

#4 Updated by stbuehler about 5 years ago

  • Status changed from Reopened to Wontfix

Yes, you can execute "not readable" files, although it is useless if you don't set SUID also (without SUID you can just LD_PRELOAD anything you want).

The open() is from our stat code; i don't intend to change the semantics of it, so you have to live with the current behaviour - just provide a readable wrapper script (and perhaps replace SUID with sudo):

#!/bin/sh

exec /path/to/real/binary

#5 Updated by Hawk777 about 5 years ago

I understand not wanting to modify core code paths for a mildly-obscure situation. I'll try to convince my distro to install Mailman's CGIs mode 2755 instead of 2751 so I can stop changing them by hand. Sorry for bothering you folks.

#6 Updated by gstrauss 6 months ago

  • Status changed from Wontfix to Fixed
  • Target version set to 1.4.42

Also available in: Atom