Dear Maintainer,
*** Reporter, please consider answering these questions, where appropriate ***
Enabling cgid in apache2 (with a2enmod cgid) results in an error when using mpm_event:
[cgid:error] [pid 8943:tid 140189712234240] (22)Invalid argument: [client x.x.x.x:49364] AH01257: unable to connect to cgi daemon after multiple tries: /usr/lib/cgi-bin/xxxxxx
Meanwhile, the user receives a 503 HTTP error, rather than the CGI content.
Upon launch, Apache creates /var/run/apache2/cgisock.PID (where PID is the PID in question), however it does that as the www-data user and root group, who does not have write access to /var/run/apache2 (where only the root user has write permission).
To fix this, chmod g+rwx /var/run/apache2 fixes the issue. Since we're only adding the root group, this likely has a minimal security effect.
Alternately, the default directive of
/etc/apache2/mods-available/cgid.conf: ScriptSock ${APACHE_RUN_DIR}/cgisock
Should not point to a folder that does not have write access by www-data user and a subfolder with more open permission should be created.
Thanks for the report. Alternative: I tried to move cgid socket into
${APACHE_RUN_DIR}/socks/cgisock, created now by apache2ctl and owned by
www-data
(https://salsa.debian.org/apache-team/apache2/-/pipelines/395609). Then
no security changes.
Let's wait for pipeline result
We believe that the bug you reported is fixed in the latest version of apache2, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 1014056@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Yadd <yadd@debian.org> (supplier of updated apache2 package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmaster@ftp-master.debian.org) Format: 1.8 Date: Tue, 05 Jul 2022 15:49:58 +0200 Source: apache2 Built-For-Profiles: nocheck Architecture: source Version: 2.4.54-2 Distribution: unstable Urgency: medium Maintainer: Debian Apache Maintainers <debian-apache@lists.debian.org> Changed-By: Yadd <yadd@debian.org> Closes: 1014056 Changes: apache2 (2.4.54-2) unstable; urgency=medium . * Move cgid socket into a writeable directory (Closes: #1014056) * Update lintian overrides * Declare compliance with policy 4.6.1 * Install NOTICE in each package Checksums-Sha1: 226a920fa24572c8830260faabf41cd54f489263 3488 apache2_2.4.54-2.dsc ce536f24a36c06243b691c9ca164c4e3eba875ca 899544 apache2_2.4.54-2.debian.tar.xz Checksums-Sha256: a7a5025128d97f4477819a9f77eea997cdd3c509e6f7e1db011ea53ba297f44a 3488 apache2_2.4.54-2.dsc a7f1eea74cdd1566b8af3df1fcd46dc2457eb705380bccd4c3c8bdfa3774712d 899544 apache2_2.4.54-2.debian.tar.xz Files: f65a84c5fae1dce3c96ba8dea6f6401e 3488 httpd optional apache2_2.4.54-2.dsc acb82e34859ad39e7b500c8dd9b06078 899544 httpd optional apache2_2.4.54-2.debian.tar.xz -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEAN/li4tVV3nRAF7J9tdMp8mZ7ukFAmLH0UkACgkQ9tdMp8mZ 7unoTQ//WgEAsikONdZugcR8Z9bJIqgH+NHxGm5Nq4R7JxHvAe/J2BH9njDNvuQo 3IGPSkmYP0MuaLjBpxEIrwYae9ek5n7TS38yjFh6imYqPWyTEsihNqehO495+mDC EpREpCOVOuxbl6ApiIhe+S24vrJHVj3KdVh5AR5fUq9lyu16qu5nYvqob4LLEGXZ x9ba5peklYRqr9TrBfsM84Cxlz3m75i+09U9PXWLBEy/Gh3QvEGXYHQR4ua8eDG0 YdQ1ORjQoFGFZWMBKRxyifzO2ZMh6BgSdfxyjKr9BDgIHKPM8X/XVi1Nyq6Xs2aT Up8XyJF/AN9yiQYk4DdjD4TEpiINSejI635w4LUU/EzKFXVDEOG54uT7Ni4z5mv0 ABqL58Y+eLDwrmBUbkVuYbhH8SE1k3yHALnuB3pYi4OO1Pvz7qNO/ms2FBNrtk6J jwJcf8M35R3KFq6YtAsuO9TbX/Wefi4E5KtujMXSTZEdA/o6kNjPUQeHaJ5ZJ9sT 0JUd9pk1L8VeJv/OZW++2N+QvZnP3VgzXM3hP6+jNNgDQjq+n+a30NAdMjK3cCL1 ARMoSwboIwmGLLMEHovz7dlYbV0+pXaeMBxgwIs5R2mZfTYRKERSwbkW10bM1HF4 fKgAJUJJhgkLqTnjAOeHwuEtLIljNw19Vw4Zq6gbk/4foD4bJhM= =WEvL -----END PGP SIGNATURE-----