>Number:         3289
>Category:       bin
>Synopsis:       <File permission break Bourne Shell CGI scripts>
>Confidential:   yes
>Severity:       serious
>Priority:       medium
>Responsible:    bin-bug-people (Utility Bug People)
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Tue Mar  4 18:05:00 1997
>Last-Modified:
>Originator:     Thomas J. Wye
>Organization:
		<Bay Area internet Solutions>
>Release:        NetBSD-current source 4/3/97
>Environment:
System: NetBSD baygate 1.2C NetBSD 1.2C (ANCHOR) #3: Tue Feb 25 10:00:05 PST 1997 navas@shell2:/usr/src/sys/arch/i386/compile/ANCHOR i386


>Description:

There seems to be a NEW file permission problem in netbsd-current 
that causes Bourne shell CGI's to fail depending on file permission settings.

This seems to have been introduced between Jan 17-Feb 5

My Web server Apache 1.1.3 is running as user "nobody"

I have the following Unix file permission turned on for each directory:

drwx--x--x   4 abc   vip          512 Jan  6 15:10 abc

drwx-rx-rx   4 abc   vip          512 Jan  6 15:10 abc/public_html

drwx-rx-rx   4 abc   vip          512 Jan  6 15:10 abc/public_html/cgi-bin

When a simple Bourne shell CGI script is executed from 
directory abc/public_html/cgi-bin by the Web server the following 
error message is displayed.

getcwd() failed: Permission denied

The error message is generated from /bin/sh in routine cd.c with
the execution of the getcwd function.

If read permission is turned on at the abc/ root level for "other" (chmod o+r abc) the Bourne CGI scripts works fine.

Perl scripts run from the same cgi-bin directory seem to work fine.


>How-To-Repeat:

Create a simple one line Bourne shell script and execute is as a cgi script
as described above.

>Fix:
	None
>Audit-Trail:
>Unformatted: