Bug #2374

lighttpd-1.4.29 cannot execute unreadable CGIs

Added by Hawk777 over 7 years ago. Updated over 2 years ago.

Target version:
Start date:
Due date:
% Done:


Estimated time:
Missing in 1.5.x:


Lighttpd tries to open() the CGI. If this fails with EACCES, the request returns 403. This shouldn't happen: if the request is to be handled by a CGI, it needs to be executable by the Lighttpd user, but there's no reason it should have to be readable. I have an strace if you want, though it's not very informative (just shows open() returning EACCES).

Associated revisions

Revision b9f245f2 (diff)
Added by gstrauss over 2 years ago

[mod_cgi] permit CGI exec of unreadable files (fixes #2374)

CGI target might be executable (+x), but not readable (-r)

"lighttpd-1.4.29 cannot execute unreadable CGIs"



Updated by Hawk777 over 7 years ago

I neglected to mention this in my initial report, but the CGI in question is an ELF and can be executed without issue from bash running as the Lighttpd user account.


Updated by darix over 7 years ago

  • Status changed from New to Invalid

you need read permission to execute a file.


Updated by Hawk777 over 7 years ago

  • Status changed from Invalid to Reopened

No you don't. Please try this for yourself if you don't believe me:

$ cat test.c
#include <stdio.h>
int main(void) {
puts("Hello World");
return 0;

$ gcc -otest test.c
$ chmod 0111 test
$ ./test
Hello World


Updated by stbuehler over 7 years ago

  • Status changed from Reopened to Wontfix

Yes, you can execute "not readable" files, although it is useless if you don't set SUID also (without SUID you can just LD_PRELOAD anything you want).

The open() is from our stat code; i don't intend to change the semantics of it, so you have to live with the current behaviour - just provide a readable wrapper script (and perhaps replace SUID with sudo):


exec /path/to/real/binary

Updated by Hawk777 over 7 years ago

I understand not wanting to modify core code paths for a mildly-obscure situation. I'll try to convince my distro to install Mailman's CGIs mode 2755 instead of 2751 so I can stop changing them by hand. Sorry for bothering you folks.


Updated by gstrauss over 2 years ago

  • Status changed from Wontfix to Fixed
  • Target version set to 1.4.42

Also available in: Atom