You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Alexander Kolesnik <ap...@abisoft.biz> on 2005/05/20 16:47:57 UTC
Re[2]: [users@httpd] suexec improvement suggestion
Hello Joshua,
Friday, May 20, 2005, 6:16:25 PM, you wrote:
> (Even if you do have the knowledge to impliment this, you still may
> not have the knowledge to understand the security implications, so you
> probably still shouldn't do it.)
Could you please tell what security implications do you mean? And
what's the difference between original suexec's security and the one I
suggested?
--
Best regards,
Alexander
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: Re[4]: [users@httpd] suexec improvement suggestion
Posted by Joshua Slive <js...@gmail.com>.
On 5/20/05, Alexander Kolesnik <ap...@abisoft.biz> wrote:
> >> Could you please tell what security implications do you mean? And
> >> what's the difference between original suexec's security and the one I
> >> suggested?
>
> > I can't say that I'm a real expert here either, but one important
> > issue is that you would need to remove an suexec security check:
> > suexec runs files only under the userid of their owner. Removing
> > this check wouldn't automatically lead to a problem -- you'd still
> > need to compromise the httpd user -- buy it gets you one step closer.
>
> I don't see problems here if suexec will extend this restriction to
> any non-root user (or any non-special user, like bin, etc). If you see
> them, please, tell me.
Let's put it this way: If you compromise the httpd user, you can then
run any httpd/suexec-accessible program under any userid (other than
root). That is really only a half-step away from root privileges.
(One thing people often fail to consider is that suexec is an ordinary
binary that can be run from the command line, not only from within
httpd. Many of the security checks are designed to prevent it from
being abused from the command line.)
> As far as I understand, this improvemnt will not affect suexec's
> simplicity and security.
If you made it a configurable option, it would certainly make suexec
more complex (as would any configuration). I think it should be
evident that it also removes a major security check.
Joshua.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re[4]: [users@httpd] suexec improvement suggestion
Posted by Alexander Kolesnik <ap...@abisoft.biz>.
>> Could you please tell what security implications do you mean? And
>> what's the difference between original suexec's security and the one I
>> suggested?
> I can't say that I'm a real expert here either, but one important
> issue is that you would need to remove an suexec security check:
> suexec runs files only under the userid of their owner. Removing
> this check wouldn't automatically lead to a problem -- you'd still
> need to compromise the httpd user -- buy it gets you one step closer.
I don't see problems here if suexec will extend this restriction to
any non-root user (or any non-special user, like bin, etc). If you see
them, please, tell me.
As far as I understand, this improvemnt will not affect suexec's
simplicity and security.
--
Best regards,
Alexander
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: Re[2]: [users@httpd] suexec improvement suggestion
Posted by Joshua Slive <js...@gmail.com>.
On 5/20/05, Alexander Kolesnik <ap...@abisoft.biz> wrote:
> Hello Joshua,
>
> Friday, May 20, 2005, 6:16:25 PM, you wrote:
>
> > (Even if you do have the knowledge to impliment this, you still may
> > not have the knowledge to understand the security implications, so you
> > probably still shouldn't do it.)
>
> Could you please tell what security implications do you mean? And
> what's the difference between original suexec's security and the one I
> suggested?
I can't say that I'm a real expert here either, but one important
issue is that you would need to remove an suexec security check:
suexec runs files only under the userid of their owner. Removing
this check wouldn't automatically lead to a problem -- you'd still
need to compromise the httpd user -- buy it gets you one step closer.
In general, you'd be surprised at how many different people file bugs
asking for suexec restrictions to be relaxed in various ways. But the
point of suexec is to be simple and secure. Relaxing these
restrictions -- even on a compile-time configurable basis -- would
certainly kill the "simple" part, and quite possibly the "secure" part
as well.
Joshua.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org