You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Bob Bell <bo...@zk3.dec.com> on 2003/02/04 17:51:23 UTC
[users@httpd] suEXEC and /etc/passwd
[ Disclaimer: I've searched FAQs, Usenet archives, and mailing list
archives and can't find an answer to this question, but I am more than
willing to accept a pointer ]
I'm running an Ensim-based site with name-based virtual hosts. suEXEC
is in use. I want to make the web directories for those hosts
(including cgi-bin directories) owned by a different user than the Ensim
"site administrator". That is, I want to make them owned by the
"webmaster" user for that domain. Actually accomplishing that, and
serving static pages and providing FTP access, etc. is not a problem
(which is why I'm not posting to an Ensim list).
The problem is that that user is in the /etc/passwd file for that
domain, but not in the global /etc/passwd file for the system, which is
what suEXEC checks. From http://httpd.apache.org/docs/suexec.html,
a condition for success in suEXEC is:
5. Is the target user name valid?
Does the target user exist?
I would like to know how to disable this check. Do I have to comment
out the lines implementing it in the suEXEC source and recompile? What
kind of problems do I open myself up to if I do? (I can't think of any,
as long as the other checks are all in place, and I'm a reasonably
security-minded guy)
--
Bob Bell <bo...@zk3.dec.com>
-------------------------------------------------------------------------
"Software gets slower faster than hardware gets faster!"
-- "Wirth's Law" - Niklaus Wirth, famous computer scientist
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] suEXEC and /etc/passwd
Posted by Jurgen <ap...@squarehosting.com>.
Hi,
maybe you should contact then the programmers of the Apache Group, which is what they recommend, and ask them why they made this decission.
Logically this check shouldn't hurt, because when you deal with files you normally have to be a user. The way you want to use it will not allow you any access to the files except as root user.This might be your intention, but you can accomplish the same with a valid user.
Jurgen
On Tue, 4 Feb 2003 12:44:12 -0500
Bob Bell <bo...@zk3.dec.com> wrote:
> On Tue, Feb 04, 2003 at 12:40:28PM -0500, Jurgen <ap...@squarehosting.com> wrote:
> > the user name is basically an alias for a UID. At some point the
> > username will be mapped from user name to UID and the information for
> > the mapping is in /etc/passwd. That mean as long as you specify a user
> > name you will have to have it in the system, else there is no way for
> > the OS to randomly make up a UID. So I guess what you really want is
> > to specify a UID in the configuration instead of a user name.
>
> Yes. Apache already acknowledges this, as the User directive can
> take either a username or "#" and a UID. However, suEXEC enforces that
> the username must be in /etc/passwd. I'd like to remove that
> restriction. In particular, I don't understand how I am more vulnerable
> without it.
>
> --
> Bob Bell <bo...@zk3.dec.com>
> -------------------------------------------------------------------------
> "Shipping software is an unnatural act"
> -- David Stafford
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] suEXEC and /etc/passwd
Posted by Bob Bell <bo...@zk3.dec.com>.
On Tue, Feb 04, 2003 at 12:40:28PM -0500, Jurgen <ap...@squarehosting.com> wrote:
> the user name is basically an alias for a UID. At some point the
> username will be mapped from user name to UID and the information for
> the mapping is in /etc/passwd. That mean as long as you specify a user
> name you will have to have it in the system, else there is no way for
> the OS to randomly make up a UID. So I guess what you really want is
> to specify a UID in the configuration instead of a user name.
Yes. Apache already acknowledges this, as the User directive can
take either a username or "#" and a UID. However, suEXEC enforces that
the username must be in /etc/passwd. I'd like to remove that
restriction. In particular, I don't understand how I am more vulnerable
without it.
--
Bob Bell <bo...@zk3.dec.com>
-------------------------------------------------------------------------
"Shipping software is an unnatural act"
-- David Stafford
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] suEXEC and /etc/passwd
Posted by Jurgen <ap...@squarehosting.com>.
Hi,
the user name is basically an alias for a UID. At some point the username will be mapped from user name to UID and the information for the mapping is in /etc/passwd. That mean as long as you specify a user name you will have to have it in the system, else there is no way for the OS to randomly make up a UID.
So I guess what you really want is to specify a UID in the configuration instead of a user name.
Jurgen
On Tue, 4 Feb 2003 12:14:16 -0500
Bob Bell <bo...@zk3.dec.com> wrote:
> On Tue, Feb 04, 2003 at 12:16:24PM -0500, Jurgen <ap...@squarehosting.com> wrote:
> > what is the use of it?
> > Either you want to execute stuff with suexec. Then what do you think
> > the operating system would say if you try to start a process as a none
> > existing user. If you don't want to execute anything then how would
> > it make a difference if the user exists or not.
>
> I want to execute the CGI with a specific user ID that does not have
> a corresponding username. That is, suEXEC would perform a setuid() to
> a UID not in /etc/passwd. I just wrote a sort test program that
> confirmed to me that you can indeed give setuid() a UID that does not
> exist in /etc/passwd.
>
> --
> Bob Bell <bo...@zk3.dec.com>
> -------------------------------------------------------------------------
> "It [Linux] actually has been mildly frustrating that so many people
> are unwilling to pay us for service and support because the damn
> thing never breaks."
> -- Daniel D. Frye, Director, IBM Linux Technology Center
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] suEXEC and /etc/passwd
Posted by Bob Bell <bo...@zk3.dec.com>.
On Tue, Feb 04, 2003 at 12:16:24PM -0500, Jurgen <ap...@squarehosting.com> wrote:
> what is the use of it?
> Either you want to execute stuff with suexec. Then what do you think
> the operating system would say if you try to start a process as a none
> existing user. If you don't want to execute anything then how would
> it make a difference if the user exists or not.
I want to execute the CGI with a specific user ID that does not have
a corresponding username. That is, suEXEC would perform a setuid() to
a UID not in /etc/passwd. I just wrote a sort test program that
confirmed to me that you can indeed give setuid() a UID that does not
exist in /etc/passwd.
--
Bob Bell <bo...@zk3.dec.com>
-------------------------------------------------------------------------
"It [Linux] actually has been mildly frustrating that so many people
are unwilling to pay us for service and support because the damn
thing never breaks."
-- Daniel D. Frye, Director, IBM Linux Technology Center
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] suEXEC and /etc/passwd
Posted by Jurgen <ap...@squarehosting.com>.
Hi,
what is the use of it?
Either you want to execute stuff with suexec. Then what do you think the operating system would say if you try to start a process as a none existing user.
If you don't want to execute anything then how would it make a difference if the user exists or not.
Jurgen
On Tue, 4 Feb 2003 11:51:23 -0500
Bob Bell <bo...@zk3.dec.com> wrote:
> [ Disclaimer: I've searched FAQs, Usenet archives, and mailing list
> archives and can't find an answer to this question, but I am more than
> willing to accept a pointer ]
>
> I'm running an Ensim-based site with name-based virtual hosts. suEXEC
> is in use. I want to make the web directories for those hosts
> (including cgi-bin directories) owned by a different user than the Ensim
> "site administrator". That is, I want to make them owned by the
> "webmaster" user for that domain. Actually accomplishing that, and
> serving static pages and providing FTP access, etc. is not a problem
> (which is why I'm not posting to an Ensim list).
>
> The problem is that that user is in the /etc/passwd file for that
> domain, but not in the global /etc/passwd file for the system, which is
> what suEXEC checks. From http://httpd.apache.org/docs/suexec.html,
> a condition for success in suEXEC is:
> 5. Is the target user name valid?
> Does the target user exist?
>
> I would like to know how to disable this check. Do I have to comment
> out the lines implementing it in the suEXEC source and recompile? What
> kind of problems do I open myself up to if I do? (I can't think of any,
> as long as the other checks are all in place, and I'm a reasonably
> security-minded guy)
>
> --
> Bob Bell <bo...@zk3.dec.com>
> -------------------------------------------------------------------------
> "Software gets slower faster than hardware gets faster!"
> -- "Wirth's Law" - Niklaus Wirth, famous computer scientist
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org