Mailing-List:	contact cygwin-apps-help AT cygwin DOT com; run by ezmlm
Sender:	cygwin-apps-owner AT cygwin DOT com
List-Subscribe:	<mailto:cygwin-apps-subscribe AT cygwin DOT com>
List-Archive:	<http://sources.redhat.com/ml/cygwin-apps/>
List-Post:	<mailto:cygwin-apps AT cygwin DOT com>
List-Help:	<mailto:cygwin-apps-help AT cygwin DOT com>, <http://sources.redhat.com/lists.html#faqs>
Delivered-To:	mailing list cygwin-apps AT cygwin DOT com
Date:	Mon, 21 Jan 2002 11:22:48 +0100
From:	Corinna Vinschen <cygwin-apps AT cygwin DOT com>
To:	cygapp <cygwin-apps AT cygwin DOT com>
Subject:	Re: apache-1.3.22-4 no-detach patch
Message-ID:	<20020121112248.H11608@cygbert.vinschen.de>
Mail-Followup-To:	cygapp <cygwin-apps AT cygwin DOT com>
References:	<3C475FB1 DOT 26A73DB7 AT wapme-systems DOT de> <20020118093341 DOT A18161 AT cygbert DOT vinschen DOT de> <3C47EC5B DOT D0886E51 AT wapme-systems DOT de> <20020118161913 DOT C11608 AT cygbert DOT vinschen DOT de> <3C4AF0EC DOT C1F0F399 AT wapme-systems DOT de>
Mime-Version:	1.0
In-Reply-To:	<3C4AF0EC.C1F0F399@wapme-systems.de>
User-Agent:	Mutt/1.3.22.1i

On Sun, Jan 20, 2002 at 05:31:40PM +0100, Stipe Tolj wrote:
> Please grap 
> 
>   apache-1.3.22-3.tar.bz2
>   apache-1.3.22-4-no-detach.tar.bz2 
> 
> from http://apache.dev.wapme.net/support/apache-cygwin/ and replace
> the files in -4 with those of -3 for testing.

That works nicely.  Just one problem left, though.

In /etc/apache/httpd.conf I've set User to `Guest' (uid 501).
The apache service is started under SYSTEM account.  When
looking into the process list you can see:

      PID    PPID    PGID     WINPID  TTY  UID    STIME COMMAND
      196       1     196        196    ?   18 10:53:42 /usr/bin/cygrunsrv
     2504     196    2504       3740    ?   18 10:53:42 /usr/sbin/httpd
     4012    2504    2504       4012    ?   18 10:53:43 /usr/sbin/httpd

It's ok that the service process is running under SYSTEM (uid 18)
account but the server process should have switched to the Guest
account (uid 501) like that:

      PID    PPID    PGID     WINPID  TTY  UID    STIME COMMAND
      196       1     196        196    ?   18 10:53:42 /usr/bin/cygrunsrv
     2504     196    2504       3740    ?   18 10:53:42 /usr/sbin/httpd
     4012    2504    2504       4012    ?  501 10:53:43 /usr/sbin/httpd

This would be the same as in Linux then, where the service is
started under root but the server runs under some nobody account.

Is the setuid() switched off in the Cygwin version???  That's
somewhat dangerous, actually.  That way it's impossible to
run the server under an account with as few rights as possible.
Example Guest account:  The machine would have to give "Start
as a service" user right to the Guest account.  Uh, wait a
minute...

*dig, dig, dig*

Ok, as far as I can see, the problem is line 4136f. in http_main.c:

    /* Only try to switch if we're running as root */
    if (!geteuid() && (

That could get changed to (just a draft):

  #ifdef CYGWIN
    /* Only try to switch if we're running as SYSTEM */
    #define SYSTEM_UID 18
    if (geteuid() == SYSTEM_UID && (
  #else
    /* Only try to switch if we're running as root */
    if (!geteuid() && (
  #endif

Or is that the stuff in line 5375f.?  I'm not quite sure.

> Be aware to have
> 
>   $ chown SYETEM /var/log/apache
> 
> otherwise you won't get going.

Could you call that `chown' in your /etc/postinstall script?

> I'll ask the Apache guys if a OS-wide flag may be introduced.
> Otherwise, I will provide them a patch for the Cygwin specific flag.

That would of course be the best solution.  However, except for the
setuid() problem  and the postinstall one-liner we can go with it as
it is for now.

Thanks,
Corinna

-- 
Corinna Vinschen                  Please, send mails regarding Cygwin to
Cygwin Developer                                mailto:cygwin AT cygwin DOT com
Red Hat, Inc.

- Raw text -