[freeside] signup.cgi problems (says 'not running as freeside user')

Randall Lucas rlucas at tercent.net
Wed Apr 14 14:28:00 PDT 2004 

Henry --

Could you please wikify this?  A general wiki section under setuid / permission problems would be very helpful, with sections for folks on different
OSes or using different methods (e.g. setuid, apache User directives, separate instances, etc).

http://www.sisd.com/cgi-bin/wiki.pl?Setuid/Permission_Problems

Best,

Randall

imp at justneworleans.com wrote:

> Hello Ivan,
>
> Thanks for sending me in the right direction.  OpenBSD doesn't have suidperl,
> but it does allow, nowadays at least, secure setuid scripts.  With this new
> information in hand I was able to solve the initial problem; another, however,
> has cropped up.  It might be helpful to later archive scourers to see the steps
> I took, so, briefly:
>
> 1) /etc/fstab had the /var filesystem (where the script & Apache are) nosuid
> restricted (OpenBSD default).  Changed this;
> 2) By default on OpenBSD, httpd runs in a chroot.  A few things were missing in
> the chroot that the script/Apache needed: in this case, the /etc/spwd.db file
> from outside the chroot that contained the entry for the 'freeside' user I had
> added (I had an older one without 'freeside' in it), & the /dev/fd/# devices,
> which I had to create inside the chroot with MAKEDEV.  /dev/fd is OpenBSD's
> method of dealing with secure setuid scripts.  Helpful note: ktrace (or
> equivalent) is a lifesaver if you run anything in a chroot, since you can see
> when system calls fail, & what libraries are missing, etc.
>
> But, the new problem:
>
> Now that signup.cgi can be invoked by the webserver, it is getting the same
> errors that I got from the command line before.  Another '500 internal server
> error'; in the error_log:
>
> "my" variable $prefix masks earlier declaration in same scope at /dev/fd/6 line
> 490.
> connect: Socket operation on non-socket at
> /usr/local/libdata/perl5/site_perl/FS/SignupClient.pm line 109.
>
> and 'premature end of script headers' error.
>
> A ktrace dump has slightly more specific information:
>
> 23604 perl    CALL connect(0x4,0x3c007780,ox6a)
> 23604 perl    NAMI "/usr/local/freeside/fs_signupd_socket"
> 23604 perl    RET connect -1 errno 38 Socket operation on non-socket
> . . .
> 23604 perl    CALL write(0x2,0x3c1dae80,0x6b)
> 23604 perl    GIO fd 2 wrote 107 bytes
>     "connect: Socket operation on non-socket at /usr/local . . .".
>
> Again, I've followed the directions in the manual.  Here are the permissions
> for
> /usr/local/freeside/fs_signupd_socket (actually at /var/www/usr/local/freeside,
> but inside the chroot it appears as /usr/local/freeside):
>
> -rw------- 1 freeside freeside     0 Apr 13 23:05 fs_signupd_socket
>
> I don't know what to make of the "my" variable masking, either.  Could it be
> related to the socket problem?
>
> In any event, what could be causing the connection to the socket to fail, & how
> might it be remedied?
>
> Thanks again,
> Henry
>
> Quoting ivan <ivan at 420.am>:
>
> > I don't believe OpenBSD has suidperl (like most other freenix) or secure
> > setuid scripts (like Solaris).  You could try "wrapsuid" from the Perl
> > distribution (or something similar) or compile Perl yourself and include
> > suidperl.
> >
> > --
> > _ivan
> >
> >
> > On Tue, Apr 13, 2004 at 08:11:11PM -0500, imp at justneworleans.com wrote:
> > >
> > >
> > > I'm having a problem getting signup.cgi to run on my public webserver (as
> > > opposed to the freeside backend server).  My browser reports a '500
> > internal
> > > server error' when I try to access the file; the Apache error log shows
> > the
> > > following relevant information:
> > >
> > > -----
> > > [Tue Apr 13 19:31:38 2004] [error] [client 66.93.250.250] script not found
> > or
> > > unable to stat: /cgi-bin/setup.cgi
> > > Use of uninitialized value in numeric ne (!=) at
> > > /usr/local/libdata/perl5/site_perl/FS/SignupClient.pm line 26.
> > > not running as freeside user
> > > Compilation failed in require at /cgi-bin/signup.cgi line 31.
> > > BEGIN failed--compilation aborted at /cgi-bin/signup.cgi line 31.
> > > [Tue Apr 13 19:32:06 2004] [error] [client 66.93.250.250] Premature end of
> > > script headers: /cgi-bin/signup.cgi
> > > -----
> > >
> > > I'm using: OpenBSD 3.4 (patch branch), Perl rev 5.0 version 8 subversion
> > 0,
> > > Freeside 1.4.1 (stable, fresh off the download site), all the requisite
> > perl
> > > modules pulled off CPAN & showing no symptoms of malfunction.
> > >
> > > I've folowed the instructions at
> > http://www.sisd.com/freeside/docs/signup.html
> > > to a tee.
> > >
> > > The permissions for signup.cgi are as follows:
> > >
> > > -r-sr-xr-x 1 freeside freeside  20702 Apr 11 14:29 signup.cgi
> > >
> > > Apache runs as user 'www'.
> > >
> > > When invoked from the command line as user 'freeside', it produces the
> > > following
> > > to stdout:
> > >
> > > "my" variable $prefix masks earlier declaration in same scope at
> > ./signup.cgi
> > > line 490.
> > > connect: Socket operation on non-socket at
> > > /usr/local/libdata/perl5/site_perl/FS/SignupClient.pm line 109.
> > >
> > >
> > > These two responses together are all the output I've managed to get out of
> > the
> > > script so far.  Needless to say I haven't got it to the point where I can
> > see
> > > how it interacts with my Freeside backend.
> > >
> > > Is there something I'm missing, & if so, what could it be?
> > >
> > > Thanks, everyone.
> > >
> > > Regards,
> > > Henry
> > >
> > > ----------------------------------------------------------------
> > > Fast reliable Internet with all the bells & whistles.  First two months for
> > the price of one.  Just New Orleans.com! http://www.justneworleans.com
> > >
> >
> > --
> > _ivan
> >
>
> ----------------------------------------------------------------
> Fast reliable Internet with all the bells & whistles.  First two months for the price of one.  Just New Orleans.com! http://www.justneworleans.com

More information about the freeside-users mailing list