Project

General

Profile

Actions

Bug #2374

closed

lighttpd-1.4.29 cannot execute unreadable CGIs

Added by Hawk777 over 9 years ago. Updated almost 5 years ago.

Status:
Fixed
Priority:
Normal
Category:
-
Target version:
ASK QUESTIONS IN Forums:

Description

Lighttpd tries to open() the CGI. If this fails with EACCES, the request returns 403. This shouldn't happen: if the request is to be handled by a CGI, it needs to be executable by the Lighttpd user, but there's no reason it should have to be readable. I have an strace if you want, though it's not very informative (just shows open() returning EACCES).

Actions #1

Updated by Hawk777 over 9 years ago

I neglected to mention this in my initial report, but the CGI in question is an ELF and can be executed without issue from bash running as the Lighttpd user account.

Actions #2

Updated by darix over 9 years ago

  • Status changed from New to Invalid

you need read permission to execute a file.

Actions #3

Updated by Hawk777 over 9 years ago

  • Status changed from Invalid to Reopened

No you don't. Please try this for yourself if you don't believe me:

$ cat test.c
#include <stdio.h>
int main(void) {
puts("Hello World");
return 0;
}

$ gcc -otest test.c
$ chmod 0111 test
$ ./test
Hello World

Actions #4

Updated by stbuehler over 9 years ago

  • Status changed from Reopened to Wontfix

Yes, you can execute "not readable" files, although it is useless if you don't set SUID also (without SUID you can just LD_PRELOAD anything you want).

The open() is from our stat code; i don't intend to change the semantics of it, so you have to live with the current behaviour - just provide a readable wrapper script (and perhaps replace SUID with sudo):

#!/bin/sh

exec /path/to/real/binary
Actions #5

Updated by Hawk777 over 9 years ago

I understand not wanting to modify core code paths for a mildly-obscure situation. I'll try to convince my distro to install Mailman's CGIs mode 2755 instead of 2751 so I can stop changing them by hand. Sorry for bothering you folks.

Actions #6

Updated by gstrauss almost 5 years ago

  • Status changed from Wontfix to Fixed
  • Target version set to 1.4.42
Actions

Also available in: Atom