[Bug 508839] [NEW] sympa: 2 Insecure errors when running setuid in apache error log

bersyl91 choppy at free.fr
Sun Jan 17 18:45:12 UTC 2010 

Public bug reported:

Binary package hint: sympa

This bug is the same as the Debian Bug#516164, from which I reproduce
here the last message:


Bug#516164: sympa: 2 Insecure errors when running setuid in apache error log

Olivier Berger
Fri, 20 Feb 2009 06:00:57 -0800

On Fri, Feb 20, 2009 at 02:40:58PM +0100, Olivier Berger wrote:
> On Fri, Feb 20, 2009 at 02:25:14PM +0100, Olivier Berger wrote:
> > >     * Sympa 5.2  introduced a Perl wrapper for wwsympa.fcgi that uses
> > >       sudo. Do you use it?
> > 
> > Nope... the wrapper is provided in the Debian package but not used in
> > the default setup.
> > 
> 
> I've tried with the wrapper and this gives much better results, without 
> errors reported.
> 
> Here are the necessary changes :
> 
> In /etc/sudoers :
> 
>       www-data ALL = (sympa) NOPASSWD: /usr/lib/cgi-bin/sympa/wwsympa.fcgi
> 
> and in /etc/apache2/conf.d/sympa :
> 
>       ScriptAlias /wws /usr/lib/cgi-bin/sympa/wwsympa_sudo_wrapper.pl
> 

One more element also, which I didn't notice initially... the environment 
variables are trashed with the default 
/usr/lib/cgi-bin/sympa/wwsympa_sudo_wrapper.pl provided in the package.

So the CGI execution won't be really working, losing its base URL for
instance.

It seems that having a supplemental -E option in the sudo command as well as 
the SETENV: flag in sudoers helps also :

In /usr/lib/cgi-bin/sympa/wwsympa_sudo_wrapper.pl :

        exec '/usr/bin/sudo', '-E', '-u', 'sympa', 
'/usr/lib/cgi-bin/sympa/wwsympa.fcgi';

In /etc/sudoers (visudo) :
        www-data ALL = (sympa) SETENV: NOPASSWD: 
/usr/lib/cgi-bin/sympa/wwsympa.fcgi

Again :

> Maybe this should be the default, when no fastcgi is activated ?
> 
> Hope this helps,


Having done what Olivier Berger says, I get into a semi-solved
situation:

 - whith the '-E' flag, I get a 500 error and an "Undefined subroutine &main::get_random called at /usr/lib/cgi-bin/sympa/wwsympa.fcgi line 853." in syslog
 - without the flag, I get a messy web page, but a web page.

ProblemType: Bug
Architecture: i386
Date: Sun Jan 17 19:39:55 2010
DistroRelease: Ubuntu 9.10
InstallationMedia: Ubuntu 9.10 "Karmic Koala" - Release i386 (20091028.5)
Package: sympa (not installed)
ProcEnviron:
 PATH=(custom, user)
 LANG=fr_FR.UTF-8
 SHELL=/bin/bash
ProcVersionSignature: Ubuntu 2.6.31-17.54-generic
SourcePackage: sympa
Uname: Linux 2.6.31-17-generic i686

** Affects: sympa (Ubuntu)
     Importance: Undecided
         Status: New


** Tags: apport-bug i386

-- 
sympa: 2 Insecure errors when running setuid in apache error log
https://bugs.launchpad.net/bugs/508839
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.

-- 
ubuntu-bugs mailing list
ubuntu-bugs at lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

More information about the universe-bugs mailing list