Bug: testenv script should check effective uid with getpwuid($>) not "real" uid

Apache launches the httpd process as root, then swaps the effective UID as configured. e.g. see httpd.conf:

 # # Port: The port to which the standalone server listens. For # ports < 1023, you will need httpd to be run as root initially. # Port 80 # If you wish httpd to run as a different user or group, you must run # httpd as root initially and it will switch. ... User www Group www 

The testenv script for TWiki looks at the real UID, using

 my $usr = lc( getlogin || getpwuid($<) ); 

This is inappropriate; it should instead look at the effective UID of the httpd process, using

 my $usr = lc( getpwuid($>) ); 

Test case

I modified the testenv script, as:

 my $usr = lc( getlogin || getpwuid($<) ); my $eusr = lc( getpwuid($>) ); ... print "<tr><th align=\"right\">User:</th><td>$usr</td></tr>\n"; print "<tr><th align=\"right\">Effective User:</th><td>$eusr</td></tr>\n"; 

The results:

User

root

Effective User: www

I also ran a very simple CGI on my server (it's a printenv script). I added the following code to the script:

 print "<P>\nI am ", `whoami`, " ", `id`, "\n<P>"; system("touch /tmp/newfile"); system("ls -al /tmp/newfile"); unlink("/tmp/newfile"); 

The results:

I am www uid=80(www) gid=80(www) groups=80(www)

-rw-r--r-- 1 www wheel 0 Jun 1 22:49 /tmp/newfile

testenv claims I am running as user root; I am not; I am running as user www. testenv should be fixed to check the login ID vs the effective user ID and report the euid if the two results differ.

Environment

-- VickiBrown - 02 Jun 2003

Follow up

This was reported a while back by email, and fixed in TWikiAlphaRelease - please try the latest CVSget:bin/testenv, where the code looks like this:

 # Get web server's user and group info my $usr = ""; my $grp = ""; if( $OS eq 'UNIX' or ($OS eq 'WINDOWS' and $perltype eq 'Cygwin' ) ) { $usr = lc( getpwuid($<) ); # Unix/Cygwin Perl foreach( split( " ", $( ) ) { my $onegrp = getgrgid( $_ ); $grp .= " " . lc($onegrp); } } else { # ActiveState or other Win32 Perl $usr = lc( getlogin ); # Try to use Cygwin's 'id' command - may be on the path, since Cygwin # is probably installed to supply ls, egrep, etc - if it isn't, give up. # Run command without stderr output, to avoid CGI giving error. # Get names of primary and other groups. $grp = lc(qx(sh -c '( id -un ; id -gn) 2>/dev/null' 2>nul )); if ($?) { $grp = "[Can't identify groups - no Cygwin 'id' or 'sh' command on path] "; } } 

As you can see, getpwuid is now used on all Unix platforms, and getlogin only on non-CygWin Win32 platforms.

-- RichardDonkin - 02 Jun 2003

• the getlogin will result in root (probably becaus the apache does not use the setlogin(2))
• the getpwuid($<) ($REAL_USER_ID) will result in www
• the getpwuid($>) ($EFFECTIVE_USER_ID) will result in www

-- JanRuzicka - 05 Jun 2003

In this case, real = effective - however, if the consensus is that we should be using the effective userid and group, I'll change the code to reflect this. In a SecureSetup using suexec or similar, the effective would differ from real, but I don't have any problems with this on a Linux box that uses suexec with the current code.

-- RichardDonkin - 06 Jun 2003

Fix record

Now fixed in TWikiAlphaRelease. Sorry for the delay, but nobody replied to the above...

-- RichardDonkin - 11 Sep 2003