cgi program refuses to setuid root

0

I have a C .cgi program that runs and mostly works. However, I need it to do some file manipulation, so I chown root & chmod +s the .cgi program:

-rwsr-sr-x 1 root root 59140 2015-07-20 13:39 sectl.cgi

When it runs, the program does not have the permissions it needs; a rename() command fails. The output of the command

system("whoami");

is wwwrun. What's going on here?
(I'm certain I've done the same thing on other systems successfully)

openSUSE 11.2

rich

Posted 2015-07-20T21:20:01.790

Reputation: 53

Answers

1

There are a couple of things to keep in mind:

  • setuid for scripts is likely to be disabled (see Allow setuid on shell scripts for instance).
  • even if your program is actually a binary, it is still possible that the file-system on which it resides is mounted with the nosuid option, or that SELinux prohibits the feature (see for example LD_PRELOAD with setuid binary).

Thomas Dickey

Posted 2015-07-20T21:20:01.790

Reputation: 6 891

>

  • It is a C program. 2. If I type "mount", I see nothing that looks like "nosuid". I do see acl. The getfacl shows nothing unexpected. The yast bootloader module does not have "enable selinux" checked, and man -k selinux returns nothing. I thought perhaps apache itself was doing the deed, but I see nothing in the config files about it (grep setuid)
    • < – rich – 2015-07-20T23:47:37.230

    SELinux is the likely culprit -- I would test with it disabled, just to verify that (and if so, do some reading to see how to appease it). – Thomas Dickey – 2015-07-21T00:00:29.977

    No SELinux that I could find, but I did find apparmor. Reboot, then /etc/init.d/boot.apparmor stop did not help, however. I didn't see a way to disable it completely. – rich – 2015-07-21T00:03:52.207

    Perhaps aa-complain is the workaround (other than removing apparmor altogether).

    – Thomas Dickey – 2015-07-21T00:37:58.600

    I tried aa-complain <cgi program>, and I tried aa-complain /usr/sbin/httpd2-1tk Neither seemed to do any good. Am I missing something? – rich – 2015-07-21T03:10:21.860

    Your particular program does not have its own profile, but apparmor likely has profiles for more generic things such as apache. – Thomas Dickey – 2015-07-21T07:59:41.360

    Let us continue this discussion in chat.

    – rich – 2015-07-21T21:55:35.020

    I can't comment in the chat window, unfortunately. – rich – 2015-07-21T22:21:53.650

    Anyway, I've had trouble finding out information about apparmor. I don't know how to prove it's the culprit. I don't know whether it's apache or my .cgi that needs a profile. I tried aa-genprof on my .cgi program, but still no setuid. I found no documentation about apparmor controlling setuid. I'm going to give up and reinstall linux on the computer in question. – rich – 2015-07-21T22:50:54.753

    Asked: 2015-07-20T21:20:01.790

    Viewed: 356 times

    Active: 2015-07-20T21:44:22.037