[Bug 253268] Re: php5-cgi not working with suphp in Hardy

dx9s dx9s at hotmail.com
Thu Aug 7 19:11:32 BST 2008

It's worse.. it has to do with the security patch applied (something to
do with symlink or something).

I've isolated the bug to this patch. (this is how I did it):

Hardy (as of Aug 7th even) w/ "current" suphp 0.6.2-2ubuntu1 fails

I went ahead and download the source and make my own .deb for
0.6.2-1ubuntu1 (aka made a "hardy" version of  libapache2-mod-
suphp_0.6.2-1ubuntu1_i386.deb  and  suphp-

and removed 0.6.2-2ubuntu1 and installed 0.6.2-1ubuntu1 and the SAME
apache configuration (which includes suphp options) works and executes
files fine.

upgrade back to the offical "current" 0.6.2-2ubuntu1 and it fails about
not just the PARENT directory but ALL grandparent directories not being
owned by the same UID as the php script. This is a serious bug the
"patch" fixed as it is impossible to give all parent directories over to
a particular UID ... at some point it must be owned by .... hmmm lets
say "ROOT" !!!! (UID 0)

I don't think the patch was well tested before it was accepted into
fixing whatever problem it claims to fix.

so until the maintainers of suphp and the maintainer of the .deb
packages for hardy (if you have gutsy, they haven't back ported that
patch to it so STAY with gutsy if you use suphp) get together and figure
out where this patch has failed -- it will never get fixed....

or do what I did and roll back to older .deb !! (I mean a) update/patch
suphp and have it NOT work or b) roll back suphp and have it work with
possible [minor] security issue)

PLEASE READ CLOSELY .. it's the patch that was introduced between
0.6.2-1ubuntu1 and 0.6.2-2ubuntu1 (see CVE-2008-1614 "Fix race condition
in symlink handling")

In my case.. I have /var/www (UID root) ... /var/www/"site-name" (UID
www-data, same as apache UID) and /var/www/"site-
name"/htdocs/..../folder (UID X where "X" is same UID as script that
executes in that folder)...

With the patch applied. all parent folders must be owned by UID X
(/var/www , /var/www/"site-name", /var/www/"site-name"/htdocs, /var/www
/"site-name"/htdocs/..../folder <--- all must be owned by UID X for
script in "folder" to work) -- this is a serious break-age of suphp!!!!

--dx9s (Doug)

** CVE added: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2008-1614

php5-cgi not working with suphp in Hardy 
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to php5 in ubuntu.

More information about the Ubuntu-server-bugs mailing list