Ubuntu
sympa package

sympa: 2 Insecure errors when running setuid in apache error log

Bug #508839 reported by bersyl91
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
sympa (Ubuntu)
New
Undecided
Unassigned

Bug Description

Binary package hint: sympa

This bug is the same as the Debian Bug#516164, from which I reproduce here the last message:

Bug#516164: sympa: 2 Insecure errors when running setuid in apache error log

Olivier Berger
Fri, 20 Feb 2009 06:00:57 -0800

On Fri, Feb 20, 2009 at 02:40:58PM +0100, Olivier Berger wrote:
> On Fri, Feb 20, 2009 at 02:25:14PM +0100, Olivier Berger wrote:
> > > * Sympa 5.2 introduced a Perl wrapper for wwsympa.fcgi that uses
> > > sudo. Do you use it?
> >
> > Nope... the wrapper is provided in the Debian package but not used in
> > the default setup.
> >
>
> I've tried with the wrapper and this gives much better results, without
> errors reported.
>
> Here are the necessary changes :
>
> In /etc/sudoers :
>
> www-data ALL = (sympa) NOPASSWD: /usr/lib/cgi-bin/sympa/wwsympa.fcgi
>
> and in /etc/apache2/conf.d/sympa :
>
> ScriptAlias /wws /usr/lib/cgi-bin/sympa/wwsympa_sudo_wrapper.pl
>

One more element also, which I didn't notice initially... the environment
variables are trashed with the default
/usr/lib/cgi-bin/sympa/wwsympa_sudo_wrapper.pl provided in the package.

So the CGI execution won't be really working, losing its base URL for instance.

It seems that having a supplemental -E option in the sudo command as well as
the SETENV: flag in sudoers helps also :

In /usr/lib/cgi-bin/sympa/wwsympa_sudo_wrapper.pl :

        exec '/usr/bin/sudo', '-E', '-u', 'sympa',
'/usr/lib/cgi-bin/sympa/wwsympa.fcgi';

In /etc/sudoers (visudo) :
        www-data ALL = (sympa) SETENV: NOPASSWD:
/usr/lib/cgi-bin/sympa/wwsympa.fcgi

Again :

> Maybe this should be the default, when no fastcgi is activated ?
>
> Hope this helps,

Having done what Olivier Berger says, I get into a semi-solved situation:

 - whith the '-E' flag, I get a 500 error and an "Undefined subroutine &main::get_random called at /usr/lib/cgi-bin/sympa/wwsympa.fcgi line 853." in syslog
 - without the flag, I get a messy web page, but a web page.

ProblemType: Bug
Architecture: i386
Date: Sun Jan 17 19:39:55 2010
DistroRelease: Ubuntu 9.10
InstallationMedia: Ubuntu 9.10 "Karmic Koala" - Release i386 (20091028.5)
Package: sympa (not installed)
ProcEnviron:
 PATH=(custom, user)
 LANG=fr_FR.UTF-8
 SHELL=/bin/bash
ProcVersionSignature: Ubuntu 2.6.31-17.54-generic
SourcePackage: sympa
Uname: Linux 2.6.31-17-generic i686

Revision history for this message
bersyl91 (choppy-free) wrote :
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.