0
I have a C .cgi program that runs and mostly works. However, I need it to do some file manipulation, so I chown root & chmod +s the .cgi program:
-rwsr-sr-x 1 root root 59140 2015-07-20 13:39 sectl.cgi
When it runs, the program does not have the permissions it needs; a rename() command fails. The output of the command
system("whoami");
is wwwrun. What's going on here?
(I'm certain I've done the same thing on other systems successfully)
openSUSE 11.2
>
SELinux is the likely culprit -- I would test with it disabled, just to verify that (and if so, do some reading to see how to appease it). – Thomas Dickey – 2015-07-21T00:00:29.977
No SELinux that I could find, but I did find apparmor. Reboot, then
/etc/init.d/boot.apparmor stop
did not help, however. I didn't see a way to disable it completely. – rich – 2015-07-21T00:03:52.207Perhaps aa-complain is the workaround (other than removing apparmor altogether).
– Thomas Dickey – 2015-07-21T00:37:58.600I tried
aa-complain <cgi program>
, and I triedaa-complain /usr/sbin/httpd2-1tk
Neither seemed to do any good. Am I missing something? – rich – 2015-07-21T03:10:21.860Your particular program does not have its own profile, but apparmor likely has profiles for more generic things such as apache. – Thomas Dickey – 2015-07-21T07:59:41.360
Let us continue this discussion in chat.
– rich – 2015-07-21T21:55:35.020I can't comment in the chat window, unfortunately. – rich – 2015-07-21T22:21:53.650
Anyway, I've had trouble finding out information about apparmor. I don't know how to prove it's the culprit. I don't know whether it's apache or my .cgi that needs a profile. I tried aa-genprof on my .cgi program, but still no setuid. I found no documentation about apparmor controlling setuid. I'm going to give up and reinstall linux on the computer in question. – rich – 2015-07-21T22:50:54.753