On Fri, Jan 09, 2004 at 04:00:44PM -0500, Herbert Graf wrote: Herbert, I hadn't heard back. Any luck? >>> That's not an option for the app in question. Thanks >>anyways. TTYL >> >>OK. Then let's get some futher clarification: >> >>1) What type of file is the program that actually accessing the >>port? Is it >> an executable or a script? What's its SUID status? > > It's an executable. It's suid is set, it's owned by root:root and allows >all to execute. Check. > >>2) What's the CGI? Is it an executable or a script? What is its >>SUID status? > > It's a perl script, it has it's SUID bit set and is owned by root:root. I'm pretty sure that it doesn't matter as we've talked about before. The script is interpreted by an executable that most likely isn't set suid root. > >>3) What is the connection between the script and the program that >>accesses the >> webcam? > > I checks a few files, > runs the capture program, Now here's the interesting part. Since the executable is suid root, and anyone can run it, then when Apache runs this, it should turn suid root and work. Could the problem be where you are running the application? The command line will have a different working directory than when apache runs. > runs another program that >transforms the image based on some settings and outputs the result. The >script returns content type jpg and spits out the jpg data. It works as >root, and it works if I change it to work on output saved from before. So there's something about the actual execution of the executable from the perl script that fails. I'd probably test with a dummy SUID executable that prints the UID, EUID, and working directory to a log file. Test from the command line, and then from your CGI script. The into will probably give you the difference in the two. > >>4) What error do you get when you attempt to involk the webcam >>program from >> the script > > port = 0x378: access denied, or something like that. That sounds like an ioport call from a non root user. Maybe apache is forcing the suid app to not run in suid mode? That would be a good security feature. But I have a couple of scripting apps that are SUID, and they work fine when invoked from Apache. Questions, Questions. BAJ -- http://www.piclist.com hint: PICList Posts must start with ONE topic: [PIC]:,[SX]:,[AVR]: ->uP ONLY! [EE]:,[OT]: ->Other [BUY]:,[AD]: ->Ads