Apache + CGI + suid security problem
2020-01-09 by: Dan Lyke
From: Dan Lyke ------------------------------------------------------ Okay, sometime in the past month or so, an XUbuntu upgrade broke my document manager. The Brother scanner uploads scans as PDFs using a locked down account. The .../scannng/index.cgi executes -rwsrwsr-x 1 root root 8968 Mar 29 2015 /home/danlyke/scanning/importsetuid This sets its user:group to 'brscanner:brscanner' and executes some Perl, /home/danlyke/scanning/import.pl, which is supposed to build some directory structure and use ImageMagick to generate some thumbnails (keeping up with ImageMagick's policy.xml file is aast nother rant). Except this time it gives me, in the Apache logs, mkdir /var/www/scanning/files/2020: Permission denied at /home/danlyke/scanning/import.pl line 31. When I ran this from my user account, of course it all worked just fine. And it worked fine early last month. Permissions look like I expect them to: $ ls -al /var/www/scanning/files/ total 32 drwxrwxr-x 8 danlyke danlyke 4096 Jan 8 19:50 . drwxr-xr-x 5 danlyke brscanner 4096 Apr 27 2019 .. drwxrwxr-x 8 brscanner brscanner 4096 Dec 27 2015 2015 drwxrwxr-x 9 brscanner brscanner 4096 Dec 1 2016 2016 drwxrwxr-x 10 brscanner brscanner 4096 Dec 26 2017 2017 drwxrwxr-x 12 brscanner brscanner 4096 Dec 30 2018 2018 drwxrwxr-x 9 brscanner brscanner 4096 Dec 4 19:18 2019 drwxrwxr-x 3 brscanner brscanner 4096 Jan 8 19:50 2020 That 2020 one is obviously created when I ran the importsetuid by hand. Anyone got a clue about what might have changed in Apache2, in the standard Ubuntu packages, in the past month? I freakin' hate that I've got all of these systems which keep breaking. Keeping up with this stuff, when it should just continue to work, is a royal PITA. Dan=============================================================== From: Dan Lyke ------------------------------------------------------ On Wed, 8 Jan 2020 20:10:49 -0800 Dan Lyke wrote: Doh. Had the right permissions on the parent directory, not on the direct directory. Argh. Dan