You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@httpd.apache.org by Randy Terbush <ra...@zyzzyva.com> on 1997/01/03 21:05:13 UTC

Re: suexec modification (w/diffs) (fwd) 

------- Blind-Carbon-Copy

To: Curtis Wilbar <cu...@ici.net>
Subject: Re: suexec modification (w/diffs) (fwd) 
In-reply-to: curtis's message of Fri, 03 Jan 1997 14:26:20 -0500.
         <19...@pike.ici.net> 
Cc: jad@bcc.louisville.edu
X-uri: http://www.zyzzyva.com/
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Date: Fri, 03 Jan 1997 14:05:13 -0600
From: Randy Terbush <ra...@sierra>


> 
> Unless I read something wrong.... apache calls suexec with the username/group
> of the server (or of a virtual one with user and group directives with the
> name/group in those directives), or as a user/group if ~ is used.  We do not
> use the ~ expansion here.
> 
> My mods are to run the cgi as the owner/group that owns the cgi executable
> itself.  While our virtual domain servers can use the username/group
> directives for virtual domains, or regular customer webserver (which does not
> use ~ expansion) needed a capability to run a cgi as the owner of the cgi
> program.

Ok, I understand now. The scenario you describe above is a bit too loose
for mine, Jason Dour (who worked with me to develop these changes), and
the Apache group. We worked from the assumption that the system we were
running on would allow "giveaway chowns". In the model you describe above,
it would be possible for me (badguy) to create a CGI script that did
BadThings (tm) in your web directory, chown the script to your name, and
then run it as you via the web server under your UID. While there are
some hurdles to cross here, it is doable on many systems.

You have demonstrated through your changes one of the features of the 
suexec wrapper approach. The ability to create your own wrapper that
meets the needs of your local installation. We, on the other hand, are
providing a wrapper that is sufficiently paranoid in hopes of not exposing
sites to an unreasonable amount of risk when running it.

> I think the mods might be more appropriate for the apache source, but
> I was already into suexec, and it is easier to test independently of the
> apache server.
> 
> Where do you think the mods should go ?

By putting these changes in the server, you would require that the server
be run as the 'root' user. This could be extremely dangerous depending on
the environment that you run your server in. The wrapper is the "safer"
place to put these sorts of changes, but IMO not safe enough as described
above.

> Does this clear this up ?  Did I misunderstand the Apache docs (I looked
> at the code too, and it only seems to call with the owner when a ~ expansion
> is used).

Or when the User/Group is different than the main server configuration.
We have hopes of adding setuser execution on a per/directory basis in
future versions of Apache. This would _not_ be configurable in the filesystem
via .htaccess files and thus would require modification of the config files.
These changes are entirely dependent on our ability to find a _safe_ way
to do this. This _may_ offer you the ability to do what you are describing.

Thanks for using Apache.






------- End of Blind-Carbon-Copy