What steps will reproduce the problem? 1. make 2. sudo chown root:root pwauth 3. sudo chmod 4111 pwauth 4. ./pwauth

Expect: Program to function as described.

Actual: Returns error code 50.

What version of the product are you using? On what operating system? pwauth-2.3.8

Linux version 2.6.9-89.ELsmp (mockbuild@hs20-bc1-2.build.redhat.com) (gcc version 3.4.6 20060404 (Red Hat 3.4.6-11)) #1 SMP Mon Apr 20 10:34:33 EDT 2009

Please provide any additional information below.

I looked into the problem and saw that main.c is using the real uid instead of the effective uid. On our system this returns the current user, not root, even though the SUID bit is set.

See the sample code in: http://en.wikipedia.org/wiki/Setuid

I changed line 65 of main.c to be: uid= geteuid(); // instead of getuid()

I re-compiled, installed, and it works great.

The purpose of this test it to ensure that pwauth was invoked by Apache, not by some other program, so it checks the REAL uid to see if it is whatever Apache is configured to run under, and refuses to run if invoked by any other user. This is not really an incredibly important security feature, but it's one more layer of paranoia in a program that takes paranoia seriously.

Checking the EFFECTIVE uid instead disables this check completely. Pwauth's effective uid is always root, so the check will never fail. If you want to disable this check you can do so more cleanly by undefining SERVER_UIDS in config.h.