21535 – Example CGI programs do not work and their configuration is insecure

Bug 21535 - Example CGI programs do not work and their configuration is insecure

Summary: Example CGI programs do not work and their configuration is insecure

Status:	RESOLVED INVALID

Alias:	None

Product:	Gentoo Linux
Classification:	Unclassified
Component:	New packages (show other bugs)
Hardware:	All Linux

Importance:	High normal
Assignee:	Donny Davies (RETIRED)

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2003-05-23 06:13 UTC by Joseph M. Hinkle
Modified:	2003-06-18 09:56 UTC (History)
CC List:	0 users

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Joseph M. Hinkle 2003-05-23 06:13:09 UTC

The two example CGI programs printenv and test-cgi do not work because the ebuild
does not chmod them to executable.

The are both owned by "root" as is the entire Apache tree, so to make them
runnable one would chmod them rw-r-r-x, allowing any user at all to run them,
not the "apache" user to which the daemon is set to run in the configuration
file.

This is an extremely unsafe practice, and therefore an extremely poor
example of CGI usage.







Reproducible: Always
Steps to Reproduce:
1. emerge apache
2. rc-update add apache default
3. /etc/init.d/apache start
4. Run a browser to http://localhost/cgi-bin/printenv

Actual Results:  
Internal Server Error


Expected Results:  
It should have run printenv which shows environment variables.
For the nit-pickers: This is a trivial CGI script which should not be in a
production system, but it shows as an example of how to install CGI scripts,
and is the worst possible.  Having an ebuild that does all sorts of fancy
setup and failing to chown -R apache:apache /home/httpd but leaving it to the
installer shows an abysmal understanding of the function of software.




Portage 2.0.47-r10 (default-x86-1.4, gcc-3.2.2, glibc-2.3.1-r4)
=================================================================
System uname: 2.4.20 i686 Celeron (Coppermine)
GENTOO_MIRRORS="http://gentoo.oregonstate.edu/
http://distro.ibiblio.org/pub/Linux/distributions/gentoo"
CONFIG_PROTECT="/etc /var/qmail/control /usr/kde/2/share/config
/usr/kde/3/share/config /var/bind /usr/X11R6/lib/X11/xkb
/usr/kde/3.1/share/config /usr/share/config"
CONFIG_PROTECT_MASK="/etc/gconf /etc/env.d"
PORTDIR="/usr/portage"
DISTDIR="/usr/portage/distfiles"
PKGDIR="/usr/portage/packages"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR_OVERLAY=""
USE="x86 oss 3dnow apm avi crypt encode gif jpeg kde libg++ mikmod mmx motif
mpeg ncurses pdflib png quicktime spell truetype xml2 xmms xv zlib gdbm berkdb
slang readline arts svga java postgres sdl gpm tcpd pam libwww ssl python esd imlib
oggvorbis qt opengl X gtk gnome -alsa jikes usb cups tcltk perl mysql odbc
-nls"COMPILER="gcc3"
CHOST="i686-pc-linux-gnu"
CFLAGS="-O2 -mcpu=i686 -pipe"
CXXFLAGS="-O2 -mcpu=i686 -pipe"
ACCEPT_KEYWORDS="x86"
MAKEOPTS="-j2"
AUTOCLEAN="yes"
SYNC="rsync://rsync.gentoo.org/gentoo-portage"

Comment 1 Donny Davies (RETIRED) gentoo-dev

2003-06-18 09:56:31 UTC

The irony in here is absolutely, wonderfully delicious!