[Pkg-sympa-devel] Bug#516164: sympa: 2 Insecure errors when running setuid in apache error log
Olivier Berger
olivier.berger at it-sudparis.eu
Wed Jan 4 13:00:48 UTC 2012
On Mon, Dec 19, 2011 at 09:39:54PM +0100, Emmanuel Bouthenot wrote:
> Hi Olivier,
>
> On Thu, Dec 15, 2011 at 02:21:04PM +0100, Olivier Berger wrote:
> [...]
>
> > I'm not sure, but I don't think so, for those errors above.
> >
> > On the other hand, the problem with these warnings :
> > mod_fcgid: stderr: Insecure dependency in open while running setuid at /usr/share/sympa/lib/Lock.pm line 253., referer: https://cgt-int.dnsalias.org/wws
> > mod_fcgid: stderr: Insecure dependency in open while running setuid at /usr/share/sympa/lib/List.pm line 9703., referer: https://cgt-int.dnsalias.org/wws
> > is still there in the squeeze-backports version (6.1.4~dfsg-1~bpo60+1)
> That's weird, I've never encountered such errors. Could tell me more
> about your apache/fcgid setup for wwsympa?
>
OK : I have libapache2-mod-fcgid (1:2.3.6-1) and libapache2-mod-fastcgi (2.4.6-1) installed.
But :
# apache2ctl -t -D DUMP_MODULES
apache2: Could not reliably determine the server's fully qualified domain name, ...
Loaded Modules:
core_module (static)
log_config_module (static)
logio_module (static)
mpm_prefork_module (static)
http_module (static)
so_module (static)
actions_module (shared)
alias_module (shared)
auth_basic_module (shared)
authn_file_module (shared)
authz_default_module (shared)
authz_groupfile_module (shared)
authz_host_module (shared)
authz_user_module (shared)
autoindex_module (shared)
cgi_module (shared)
dir_module (shared)
env_module (shared)
fcgid_module (shared)
info_module (shared)
mime_module (shared)
negotiation_module (shared)
reqtimeout_module (shared)
setenvif_module (shared)
ssl_module (shared)
status_module (shared)
Syntax OK
and :
<IfModule mod_fcgid.c>
AddHandler fcgid-script .fcgi
FcgidConnectTimeout 20
</IfModule>
in /etc/apache2/mods-enabled/fcgid.conf
and :
Alias /static-sympa /var/lib/sympa/static_content
ScriptAlias /wws /usr/lib/cgi-bin/sympa/wwsympa-wrapper.fcgi
in /etc/apache2/conf.d/sympa
Dunno what else I could tell...
>
> > It seems that the wwsympa_sudo_wrapper.pl sudo wrapper is not
> > distributed in that version... so I'm not sure what's wrong....
> If I remember well, sudo wrapper was dropped from upstream sources about
> 2 years ago :)
Indeed... I was just having a look at the initial exchanges on that quite old (too) ticket ;)
>
> > I don't know if you want to take care about that backports version in this ticket.
> I will try to fix every bug I can reproduce :)
>
Thanks alot.
Tell me if you need additional details.
Best regards,
--
Olivier BERGER
http://www-public.it-sudparis.eu/~berger_o/ - OpenPGP-Id: 2048R/5819D7E8
Ingenieur Recherche - Dept INF
Institut TELECOM, SudParis (http://www.it-sudparis.eu/), Evry (France)
More information about the Pkg-sympa-devel
mailing list