[Pkg-sympa-devel] Bug#516164: sympa: 2 Insecure errors when running setuid in apache error log

Olivier Berger olivier.berger at it-sudparis.eu
Wed Jan 4 13:00:48 UTC 2012 

On Mon, Dec 19, 2011 at 09:39:54PM +0100, Emmanuel Bouthenot wrote:
> Hi Olivier,
> 
> On Thu, Dec 15, 2011 at 02:21:04PM +0100, Olivier Berger wrote:
> [...]
> 
> > I'm not sure, but I don't think so, for those errors above.
> > 
> > On the other hand, the problem with these warnings :
> > mod_fcgid: stderr: Insecure dependency in open while running setuid at /usr/share/sympa/lib/Lock.pm line 253., referer: https://cgt-int.dnsalias.org/wws
> > mod_fcgid: stderr: Insecure dependency in open while running setuid at /usr/share/sympa/lib/List.pm line 9703., referer: https://cgt-int.dnsalias.org/wws
> > is still there in the squeeze-backports version (6.1.4~dfsg-1~bpo60+1)
> That's weird, I've never encountered such errors. Could tell me more
> about your apache/fcgid setup for wwsympa?
> 

OK : I have libapache2-mod-fcgid (1:2.3.6-1) and libapache2-mod-fastcgi (2.4.6-1) installed.

But :
# apache2ctl -t -D DUMP_MODULES
apache2: Could not reliably determine the server's fully qualified domain name, ...
Loaded Modules:
 core_module (static)
 log_config_module (static)
 logio_module (static)
 mpm_prefork_module (static)
 http_module (static)
 so_module (static)
 actions_module (shared)
 alias_module (shared)
 auth_basic_module (shared)
 authn_file_module (shared)
 authz_default_module (shared)
 authz_groupfile_module (shared)
 authz_host_module (shared)
 authz_user_module (shared)
 autoindex_module (shared)
 cgi_module (shared)
 dir_module (shared)
 env_module (shared)
 fcgid_module (shared)
 info_module (shared)
 mime_module (shared)
 negotiation_module (shared)
 reqtimeout_module (shared)
 setenvif_module (shared)
 ssl_module (shared)
 status_module (shared)
Syntax OK

and :

<IfModule mod_fcgid.c>
  AddHandler    fcgid-script .fcgi
  FcgidConnectTimeout 20
</IfModule>

in /etc/apache2/mods-enabled/fcgid.conf

and :

Alias /static-sympa /var/lib/sympa/static_content
ScriptAlias /wws /usr/lib/cgi-bin/sympa/wwsympa-wrapper.fcgi

in /etc/apache2/conf.d/sympa

Dunno what else I could tell...

> 
> > It seems that the wwsympa_sudo_wrapper.pl sudo wrapper is not
> > distributed in that version... so I'm not sure what's wrong....
> If I remember well, sudo wrapper was dropped from upstream sources about
> 2 years ago :)

Indeed... I was just having a look at the initial exchanges on that quite old (too) ticket ;)

> 
> > I don't know if you want to take care about that backports version in this ticket.
> I will try to fix every bug I can reproduce :)
> 

Thanks alot.

Tell me if you need additional details.

Best regards,

-- 
Olivier BERGER 
http://www-public.it-sudparis.eu/~berger_o/ - OpenPGP-Id: 2048R/5819D7E8
Ingenieur Recherche - Dept INF
Institut TELECOM, SudParis (http://www.it-sudparis.eu/), Evry (France)

More information about the Pkg-sympa-devel mailing list