[Serusers] Fw: Serweb problems - 0.8.12

Thu Nov 27 00:03:36 CET 2003

Ok.  I didn't know that SER had the ability to change the GID it runs 
under (and therefore change the group owner of the FIFO hopefully).  
This would solve the problem.  In my case I'd just set "group=serfifo".

HOWEVER, why I try this, I get: 

    {root at fs/pts/7}~# ser -P /var/run/ser.pid -dddd -g serfifo
    Segmentation fault

I tried it both in ser.cfg (group=serfifo), and both as text group 
names, and as a numeric group ID (499 in my case).  Both caused a 
SEGFAULT.  This is the SER CVS from the "0.8.11-r1" branch, compiled on 
a RH7.3 system w/ gcc 2.96.

I can't really see a reason for this SEGF except for a possible null 
pointer dereference in this code seg:

    if ((tmp==0) ||(*tmp)){

Don't have time to debug at the moment.

- Jim

Andrei Pelinescu-Onciul wrote:

>On Nov 25, 2003 at 14:49, Jim Burwell <jimb at jsbc.cc> wrote:
>  
>
>>Yes.  When they changed the permissions on the FIFO, they made it 
>>inaccessable to the normal Apache user.  Too bad they didn't make the 
>>fifo owner/permissions a config file setting.  I just created a group 
>>called "serfifo", made "apache" a member of it, and put something like 
>>"(sleep 5; chgrp serfifo $SERFIFO) &" into my SER startup script.  This 
>>waits in the background for five seconds, then changes group ownership 
>>of the FIFO to one the apache user is a member of.  You have to wait a 
>>few seconds before doing the chgrp, because SER forks immediately on 
>>start, and can take some time to create the FIFO, so your chgrp can 
>>actually execute before the FIFO is created (race condition), so you 
>>must give it a few seconds.  The FIFO already has group rw perms as 
>>created by SER.
>>    
>>
>
>Fifo permissions can be changes from the config file. Use
>fifo_mode=0666. You could try also to change your ser group (start ser
> with -g serinfo or add group=serinfo in the cfg).
>
>We changed the fifo permissions because it introduced some security
>problems on multi-user (read untrusted users) systems (DOS on ser using
>fifo, overwritting files using fifo and setting the reply fifo to a link
>in /tmp to some file elsewhere on the filesystem.). Now also ser will
> try to delete & recreate /tmp/fifo on startup to make sure it has the
> proper permissions.
>
>
>
>Andrei
>  
>

-- 
+---------------------------------------------------------------------------+
|         Jim Burwell - Sr. Systems/Network/Security Engineer, JSBC         |
+---------------------------------------------------------------------------+
| "I never let my schooling get in the way of my education." - Mark Twain   |
| "UNIX was never designed to keep people from doing stupid things, because |
|  that policy would also keep them from doing clever things." - Doug Gwyn  |
| "Cool is only three letters away from Fool" - Mike Muir, Suicyco          |
| "..Government in its best state is but a necessary evil; in its worst     |
|  state an intolerable one.." - Thomas Paine, "Common Sense" (1776)        |
+---------------------------------------------------------------------------+
|   Email:  jimb at jsbc.cc                              ICQ UIN:  1695089     |
+---------------------------------------------------------------------------+
|  Reply problems ?  Turn off the "sign" function in email prog.  Blame MS. |
+---------------------------------------------------------------------------+

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.sip-router.org/pipermail/sr-users/attachments/20031126/94db0f88/attachment.htm>