0

Note that I'm not asking about suEXEC, because the binary must be setuid root, and suEXEC doesn't allow root to execute CGI programs.

I need to carry out a one-time configuration during system installation, via Apache. To do this, the client POSTs a request to a setuid root binary (compiled C++, owned by root:root, mode u+s). This almost works: the script does run as root, and modifies system files as required. However, it does not return stdout to Apache, so Apache thinks that it dies without producing any headers. Apache's error log contains nothing useful (just the usual 'no headers' message), and the CGI log/debug file also contains nothing useful (it just gives an empty %response, with nothing shown for %stdout or %stderr).

I've tested the binary by running it on the server from a script which supplies the required POST data on stdin, and records stdout and stderr. It also runs it under valgrind. However, valgrind can't (easily) run setuid binaries, so I revert the binary to a plain 755 mode, and run the test script as root. In these conditions, the binary performs exactly as expected: valgrind reports no errors, stdout is a valid HTML response with status 200, and stderr contains only the valgrind output.

Any insight appreciated.

Improve this question
5
  • The answer to the question asked is "Yes". The question you haven't asked is possibly "How can I resolve this?" Commented Jul 20, 2024 at 19:08
  • Go on, don't keep me in suspense - how can I resolve it? :) Pro tip - no-one with any sense grows coffee anywhere near Machu Picchu (well, they didn't when I was last there, 40+ years ago). It's way above the normal Arabica altitude range (and is expensive, and is over-roasted). Any washed Central American bean, of any varietal, is likely to give much better results. There are loads of independent roasters who'll do you a 250g bag for about £10. Commented Jul 21, 2024 at 9:17
  • The counter-question I have is "Are you sure this is the best architecture for this task?" Is it set in stone, or is it just the first method that came to mind? Commented Jul 21, 2024 at 11:24
  • @QF0 thank you 😁 I probably ought to update that. The rest stands though Commented Jul 21, 2024 at 11:32
  • @u1686_grawity - no, I'm not sure. In the previous system, the binary was not setuid, and sudo'ed fixed 'static' scripts which were listed in the sudoers file on the client's computer. This iteration instead runs scripts fetched from an external server during configuration/installation, and so doesn't really fit in with a sudoers model. Just feeling my away around the best way to address this. setuid root is one option, and is arguably nuclear, but is simple. Commented Jul 21, 2024 at 14:08

1 Answer 1

Reset to default
0

The answer to the question asked is "Yes". The question you haven't asked is possibly "How can I resolve this?". Here one option could be to wrap the silent suid program in a script that generates the necessary headers.

It's been a very long time since I wrote code that worked at such a low level, but something along these lines could work:

#!/bin/sh
printf '%s\r\n' 'HTTP/1.1 200 OK'
printf '%s\r\n' "Date: $(date)"
printf '\r\n'
/my/suid/program
exit 0

This code is untested.

Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.