其他分享
首页 > 其他分享> > 权限 – 带有chrooted环境的suexec

权限 – 带有chrooted环境的suexec

作者:互联网

我正试图让一个chrooted Apache环境与suexec一起运行mod_fcgid.

查看jail中的suexec日志,包装脚本正在执行而没有任何问题,但是,当我查看Apache的错误日志时,我看到下面的错误;

suexec failure: could not open log file
fopen: Permission denied

suexec.log;

[2013-06-20 01:15:39]: uid: (500/user) gid: (500/user) cmd: php-fcgi-starter
[2013-06-20 01:16:30]: uid: (500/user) gid: (500/user) cmd: php-fcgi-starter
[2013-06-20 01:16:39]: uid: (500/user) gid: (500/user) cmd: php-fcgi-starter
[2013-06-20 01:18:07]: uid: (500/user) gid: (500/user) cmd: php-fcgi-starter
[2013-06-20 01:22:21]: uid: (500/user) gid: (500/user) cmd: php-fcgi-starter

当我同时使用php和suexec时,他们不会抱怨任何丢失的库或文件.日志显示“无法打开日志文件”,但它显然会登录到jail内的错误日志文件中.这个设置有什么问题?什么可能触发此错误?

编辑:

结果;

[pid  9912] rt_sigaction(SIGCHLD, {SIG_DFL, [], SA_RESTORER|SA_INTERRUPT, 0x7fca687fe500}, {SIG_DFL, [], 0}, 8) = 0
[pid  9912] chdir("/var/www/username/cgi-bin/") = 0
[pid  9912] execve("/usr/sbin/suexec", ["/usr/sbin/suexec", "500", "500", "php-fcgi-starter"], [/* 1 var */]) = 0
[pid  9912] brk(0)                      = 0x7f2d71e91000
[pid  9912] fcntl(0, F_GETFD)           = 0
[pid  9912] fcntl(1, F_GETFD)           = 0
[pid  9912] fcntl(2, F_GETFD)           = 0
[pid  9912] access("/etc/suid-debug", F_OK) = -1 ENOENT (No such file or directory)
[pid  9912] mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f2d715f2000
[pid  9912] access("/etc/ld.so.preload", R_OK) = -1 ENOENT (No such file or directory)
[pid  9912] open("/etc/ld.so.cache", O_RDONLY) = 3
[pid  9912] fstat(3, {st_mode=S_IFREG|0644, st_size=13704, ...}) = 0
[pid  9912] mmap(NULL, 13704, PROT_READ, MAP_PRIVATE, 3, 0) = 0x7f2d715ee000
[pid  9912] close(3)                    = 0
[pid  9912] open("/lib64/libc.so.6", O_RDONLY) = 3
[pid  9912] read(3, "\177ELF\2\1\1\3\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\360\355\1\0\0\0\0\0"..., 832) = 832
[pid  9912] fstat(3, {st_mode=S_IFREG|0755, st_size=1916568, ...}) = 0
[pid  9912] mmap(NULL, 3745960, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7f2d71041000
[pid  9912] mprotect(0x7f2d711cb000, 2093056, PROT_NONE) = 0
[pid  9912] mmap(0x7f2d713ca000, 20480, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x189000) = 0x7f2d713ca000
[pid  9912] mmap(0x7f2d713cf000, 18600, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x7f2d713cf000
[pid  9912] close(3)                    = 0
[pid  9912] mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f2d715f9000
[pid  9912] mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f2d715ed000
[pid  9912] mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f2d715ec000
[pid  9912] arch_prctl(ARCH_SET_FS, 0x7f2d715ed700) = 0
[pid  9912] mprotect(0x7f2d713ca000, 16384, PROT_READ) = 0
[pid  9912] mprotect(0x7f2d715f3000, 4096, PROT_READ) = 0
[pid  9912] munmap(0x7f2d715ee000, 13704) = 0
[pid  9912] brk(0)                      = 0x7f2d71e91000
[pid  9912] brk(0x7f2d71eb2000)         = 0x7f2d71eb2000
[pid  9912] getuid()                    = 48
[pid  9912] socket(PF_FILE, SOCK_STREAM|SOCK_CLOEXEC|SOCK_NONBLOCK, 0) = 3
[pid  9912] connect(3, {sa_family=AF_FILE, path="/var/run/nscd/socket"}, 110) = -1 ENOENT (No such file or directory)
[pid  9912] close(3)                    = 0
[pid  9912] socket(PF_FILE, SOCK_STREAM|SOCK_CLOEXEC|SOCK_NONBLOCK, 0) = 3
[pid  9912] connect(3, {sa_family=AF_FILE, path="/var/run/nscd/socket"}, 110) = -1 ENOENT (No such file or directory)
[pid  9912] close(3)                    = 0
[pid  9912] open("/etc/nsswitch.conf", O_RDONLY) = 3
[pid  9912] fstat(3, {st_mode=S_IFREG|0644, st_size=1688, ...}) = 0
[pid  9912] mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f2d715f1000
[pid  9912] read(3, "#\n# /etc/nsswitch.conf\n#\n# An ex"..., 4096) = 1688
[pid  9912] read(3, "", 4096)           = 0
[pid  9912] close(3)                    = 0
[pid  9912] munmap(0x7f2d715f1000, 4096) = 0
[pid  9912] open("/etc/ld.so.cache", O_RDONLY) = 3
[pid  9912] fstat(3, {st_mode=S_IFREG|0644, st_size=13704, ...}) = 0
[pid  9912] mmap(NULL, 13704, PROT_READ, MAP_PRIVATE, 3, 0) = 0x7f2d715ee000
[pid  9912] close(3)                    = 0
[pid  9912] open("/lib64/libnss_files.so.2", O_RDONLY) = 3
[pid  9912] read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\360!\0\0\0\0\0\0"..., 832) = 832
[pid  9912] fstat(3, {st_mode=S_IFREG|0755, st_size=65928, ...}) = 0
[pid  9912] mmap(NULL, 2151824, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7f2d70e33000
[pid  9912] mprotect(0x7f2d70e3f000, 2097152, PROT_NONE) = 0
[pid  9912] mmap(0x7f2d7103f000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0xc000) = 0x7f2d7103f000
[pid  9912] close(3)                    = 0
[pid  9912] mprotect(0x7f2d7103f000, 4096, PROT_READ) = 0
[pid  9912] munmap(0x7f2d715ee000, 13704) = 0
[pid  9912] open("/etc/passwd", O_RDONLY|O_CLOEXEC) = 3
[pid  9912] fcntl(3, F_GETFD)           = 0x1 (flags FD_CLOEXEC)
[pid  9912] fstat(3, {st_mode=S_IFREG|0644, st_size=952, ...}) = 0
[pid  9912] mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f2d715f1000
[pid  9912] read(3, "root:x:0:0:root:/root:/bin/bash\n"..., 4096) = 952
[pid  9912] close(3)                    = 0
[pid  9912] munmap(0x7f2d715f1000, 4096) = 0
[pid  9912] open("/etc/passwd", O_RDONLY|O_CLOEXEC) = 3
[pid  9912] fstat(3, {st_mode=S_IFREG|0644, st_size=952, ...}) = 0
[pid  9912] mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f2d715f1000
[pid  9912] read(3, "root:x:0:0:root:/root:/bin/bash\n"..., 4096) = 952
[pid  9912] close(3)                    = 0
[pid  9912] munmap(0x7f2d715f1000, 4096) = 0
[pid  9912] socket(PF_FILE, SOCK_STREAM|SOCK_CLOEXEC|SOCK_NONBLOCK, 0) = 3
[pid  9912] connect(3, {sa_family=AF_FILE, path="/var/run/nscd/socket"}, 110) = -1 ENOENT (No such file or directory)
[pid  9912] close(3)                    = 0
[pid  9912] socket(PF_FILE, SOCK_STREAM|SOCK_CLOEXEC|SOCK_NONBLOCK, 0) = 3
[pid  9912] connect(3, {sa_family=AF_FILE, path="/var/run/nscd/socket"}, 110) = -1 ENOENT (No such file or directory)
[pid  9912] close(3)                    = 0
[pid  9912] open("/etc/group", O_RDONLY|O_CLOEXEC) = 3
[pid  9912] fstat(3, {st_mode=S_IFREG|0644, st_size=520, ...}) = 0
[pid  9912] mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f2d715f1000
[pid  9912] read(3, "root:x:0:root\nbin:x:1:root,bin,d"..., 4096) = 520
[pid  9912] close(3)                    = 0
[pid  9912] munmap(0x7f2d715f1000, 4096) = 0
[pid  9912] open("/var/log/httpd/suexec.log", O_WRONLY|O_CREAT|O_APPEND, 0666) = 3
[pid  9912] fstat(3, {st_mode=S_IFREG|0644, st_size=17043, ...}) = 0
[pid  9912] mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f2d715f1000
[pid  9912] fstat(3, {st_mode=S_IFREG|0644, st_size=17043, ...}) = 0
[pid  9912] lseek(3, 17043, SEEK_SET)   = 17043
[pid  9912] gettimeofday({1371690955, 897472}, NULL) = 0
[pid  9912] open("/etc/localtime", O_RDONLY) = 4
[pid  9912] fstat(4, {st_mode=S_IFREG|0644, st_size=2102, ...}) = 0
[pid  9912] fstat(4, {st_mode=S_IFREG|0644, st_size=2102, ...}) = 0
[pid  9912] mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f2d715f0000
[pid  9912] read(4, "TZif2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\4\0\0\0\4\0\0\0\0"..., 4096) = 2102
[pid  9912] lseek(4, -1337, SEEK_CUR)   = 765
[pid  9912] read(4, "TZif2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\4\0\0\0\4\0\0\0\0"..., 4096) = 1337
[pid  9912] close(4)                    = 0
[pid  9912] munmap(0x7f2d715f0000, 4096) = 0
[pid  9912] write(3, "[2013-06-20 03:15:55]: uid: (500"..., 77) = 77
[pid  9912] setgid(500)                 = 0
[pid  9912] open("/proc/sys/kernel/ngroups_max", O_RDONLY) = -1 ENOENT (No such file or directory)
[pid  9912] open("/etc/group", O_RDONLY|O_CLOEXEC) = 4
[pid  9912] fstat(4, {st_mode=S_IFREG|0644, st_size=520, ...}) = 0
[pid  9912] mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f2d715f0000
[pid  9912] lseek(4, 0, SEEK_CUR)       = 0
[pid  9912] read(4, "root:x:0:root\nbin:x:1:root,bin,d"..., 4096) = 520
[pid  9912] read(4, "", 4096)           = 0
[pid  9912] close(4)                    = 0
[pid  9912] munmap(0x7f2d715f0000, 4096) = 0
[pid  9912] setgroups(1, [500])         = 0
[pid  9912] setuid(500)                 = 0
[pid  9912] getcwd("/var/www/username/cgi-bin", 4096) = 22
[pid  9912] chdir("/var/www")           = 0
[pid  9912] getcwd("/var/www", 4096)    = 9
[pid  9912] chdir("/var/www/username/cgi-bin") = 0
[pid  9912] lstat("/var/www/username/cgi-bin", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0
[pid  9912] lstat("php-fcgi-starter", {st_mode=S_IFREG|0755, st_size=128, ...}) = 0
[pid  9912] close(3)                    = 0
[pid  9912] munmap(0x7f2d715f1000, 4096) = 0
[pid  9912] execve("php-fcgi-starter", ["php-fcgi-starter"], [/* 1 var */]) = -1 ENOENT (No such file or directory)
[pid  9912] open("/var/log/httpd/suexec.log", O_WRONLY|O_CREAT|O_APPEND, 0666) = -1 EACCES (Permission denied)
[pid  9912] write(2, "suexec failure: could not open l"..., 40) = 40
[pid  9912] write(2, "fopen: Permission denied\n", 25) = 25
[pid  9912] exit_group(1)               = ?

最后~20行是服务器抛出错误的地方.

解决方法:

这看起来像权限问题.具体来说,我相信SUExec要求同一用户拥有目录/ var / www / html和/ var / www / cgi-bin / php5 / php-fcgi-starter.

我确保它们都归uid所有:500和gid:500,或者你特定系统/设置的任何用户都可以使用.

标签:php,permissions,chroot,apache-httpd,suexec
来源: https://codeday.me/bug/20190810/1638641.html