Bug #2374

lighttpd-1.4.29 cannot execute unreadable CGIs

Added by Hawk777 almost 6 years ago. Updated about 1 year ago.

Target version:
Start date:
Due date:
% Done:


Estimated time:
Missing in 1.5.x:


Lighttpd tries to open() the CGI. If this fails with EACCES, the request returns 403. This shouldn't happen: if the request is to be handled by a CGI, it needs to be executable by the Lighttpd user, but there's no reason it should have to be readable. I have an strace if you want, though it's not very informative (just shows open() returning EACCES).

Associated revisions

Revision b9f245f2 (diff)
Added by gstrauss about 1 year ago

[mod_cgi] permit CGI exec of unreadable files (fixes #2374)

CGI target might be executable (+x), but not readable (-r)

"lighttpd-1.4.29 cannot execute unreadable CGIs"


#1 Updated by Hawk777 almost 6 years ago

I neglected to mention this in my initial report, but the CGI in question is an ELF and can be executed without issue from bash running as the Lighttpd user account.

#2 Updated by darix almost 6 years ago

  • Status changed from New to Invalid

you need read permission to execute a file.

#3 Updated by Hawk777 almost 6 years ago

  • Status changed from Invalid to Reopened

No you don't. Please try this for yourself if you don't believe me:

$ cat test.c
#include <stdio.h>
int main(void) {
puts("Hello World");
return 0;

$ gcc -otest test.c
$ chmod 0111 test
$ ./test
Hello World

#4 Updated by stbuehler over 5 years ago

  • Status changed from Reopened to Wontfix

Yes, you can execute "not readable" files, although it is useless if you don't set SUID also (without SUID you can just LD_PRELOAD anything you want).

The open() is from our stat code; i don't intend to change the semantics of it, so you have to live with the current behaviour - just provide a readable wrapper script (and perhaps replace SUID with sudo):


exec /path/to/real/binary

#5 Updated by Hawk777 over 5 years ago

I understand not wanting to modify core code paths for a mildly-obscure situation. I'll try to convince my distro to install Mailman's CGIs mode 2755 instead of 2751 so I can stop changing them by hand. Sorry for bothering you folks.

#6 Updated by gstrauss about 1 year ago

  • Status changed from Wontfix to Fixed
  • Target version set to 1.4.42

Also available in: Atom