HomeAboutMailing ListList Chatter /0/0

Apache + CGI + suid security problem

2020-01-09 by: Dan Lyke
From: Dan Lyke 
Okay, sometime in the past month or so, an XUbuntu upgrade broke my
document manager.

The Brother scanner uploads scans as PDFs using a locked down account.

The .../scannng/index.cgi executes 

-rwsrwsr-x 1 root root 8968 Mar 29  2015 /home/danlyke/scanning/importsetuid

This sets its user:group to 'brscanner:brscanner' and executes some
Perl, /home/danlyke/scanning/import.pl, which is supposed to build some
directory structure and use ImageMagick to generate some thumbnails
(keeping up with ImageMagick's policy.xml file is aast nother rant).

Except this time it gives me, in the Apache logs,

mkdir /var/www/scanning/files/2020: Permission denied at /home/danlyke/scanning/import.pl line 31.

When I ran this from my user account, of course it all worked just
fine. And it worked fine early last month.

Permissions look like I expect them to:

$ ls -al /var/www/scanning/files/
total 32
drwxrwxr-x  8 danlyke   danlyke   4096 Jan  8 19:50 .
drwxr-xr-x  5 danlyke   brscanner 4096 Apr 27  2019 ..
drwxrwxr-x  8 brscanner brscanner 4096 Dec 27  2015 2015
drwxrwxr-x  9 brscanner brscanner 4096 Dec  1  2016 2016
drwxrwxr-x 10 brscanner brscanner 4096 Dec 26  2017 2017
drwxrwxr-x 12 brscanner brscanner 4096 Dec 30  2018 2018
drwxrwxr-x  9 brscanner brscanner 4096 Dec  4 19:18 2019
drwxrwxr-x  3 brscanner brscanner 4096 Jan  8 19:50 2020

That 2020 one is obviously created when I ran the importsetuid by
hand. Anyone got a clue about what might have changed in Apache2, in
the standard Ubuntu packages, in the past month?

I freakin' hate that I've got all of these systems which keep breaking.
Keeping up with this stuff, when it should just continue to work, is a
royal PITA.


=============================================================== From: Dan Lyke ------------------------------------------------------ On Wed, 8 Jan 2020 20:10:49 -0800 Dan Lyke wrote: Doh. Had the right permissions on the parent directory, not on the direct directory. Argh. Dan