You are viewing a plain text version of this content. The canonical link for it is here.
Posted to apache-bugdb@apache.org by Elliott Mitchell <eh...@cat.pdx.edu> on 1999/07/26 05:21:25 UTC

suexec/4765: Directory Ownership

>Number:         4765
>Category:       suexec
>Synopsis:       Directory Ownership
>Confidential:   no
>Severity:       non-critical
>Priority:       medium
>Responsible:    apache
>State:          open
>Class:          sw-bug
>Submitter-Id:   apache
>Arrival-Date:   Sun Jul 25 20:30:01 PDT 1999
>Last-Modified:
>Originator:     ehem@cat.pdx.edu
>Organization:
apache
>Release:        1.3.1
>Environment:
Solaris 2.5.1 (SunOS 5.5.1) Sparc, GCC 2.7.2.1
>Description:
According to the documentation for suEXEC, the only test on the
directory where CGIs are located is "Is the directory NOT writable by
anyone else?". By testing it is pretty clear the group on the
directory is also checked.
>How-To-Repeat:
Change the group for a user's CGI-bin directory to any group other
than the owner's default.
>Fix:
Either fix the documentation (http://www.apache.org/docs/suexec.html) or remove this test from suEXEC. IMHO I think
the test should be removed since checking the directory's group doesn't appear to improve security in any way.
In fact makes it impossible to have a user's WWW directory owned by a web group, restrict access to
Apache only, and then have the actual CGI programs owned by the user's group (to meet that requirement of suEXEC).
>Audit-Trail:
>Unformatted:
[In order for any reply to be added to the PR database, you need]
[to include <ap...@Apache.Org> in the Cc line and make sure the]
[subject line starts with the report component and number, with ]
[or without any 'Re:' prefixes (such as "general/1098:" or      ]
["Re: general/1098:").  If the subject doesn't match this       ]
[pattern, your message will be misfiled and ignored.  The       ]
["apbugs" address is not added to the Cc line of messages from  ]
[the database automatically because of the potential for mail   ]
[loops.  If you do not include this Cc, your reply may be ig-   ]
[nored unless you are responding to an explicit request from a  ]
[developer.  Reply only with text; DO NOT SEND ATTACHMENTS!     ]