Hiawatha version : 6.17.1 (CGI-Wrapper bug fixed)
Operating System : Ubuntu 9.04 ServerIntroduction
I am glad to hear that Hiawatha's cgi-wrapper working fine with Capabilities. I would like to make my webserver more secure than before, although I already know that application flaws are also need to be concerned.Background
Ubuntu 9.04 Server has libcap2 already installed. It is believed that the Kernel option CONFIG_SECURITY_FILE_CAPABILITIES=y
is set and compiled with.
However, Ubuntu 9.04 server comes without libcap2 commands. Therefore, the following package to be installed for the purpose.
sudo apt-get install libcap2-bin
In addition, CGI-Wrapper is works fine before implement of the Capabilities.Capabilities Implementation
Then issued the following commands to cgi-wrapper and no error displayed.
sudo chmod u-s /usr/sbin/cgi-wrapper
sudo setcap cap_setgid,cap_setuid+ep /usr/sbin/cgi-wrapper
The result of getcap
/usr/sbin/cgi-wrapper = cap_setgid,cap_setuid+epProblem
When I visit my site, "500 - Internal server error
" comes to my eyes. And the error in the log is attached./var/log/hiawatha/error.log
Tue 29 Sep 2009 08:06:25 +0800|192.168.0.1|/var/www/index.php|CGI-Wrapper v6.17.1|Only the Hiawatha webserver is allowed to execute this program.Questions
Tue 29 Sep 2009 08:06:25 +0800|192.168.0.1|/var/www/index.php|no output
(1) What is wrong for my setup? Do I need to reboot the system?
(2) What if I reset the suid to the original and still set capabilities?