You are viewing a plain text version of this content. The canonical link for it is here.
Posted to apache-bugdb@apache.org by br...@hyperreal.org on 1998/05/20 06:48:28 UTC
Re: suexec/1001: Potential group security hole with suexec
[In order for any reply to be added to the PR database, ]
[you need to include <ap...@Apache.Org> in the Cc line ]
[and leave the subject line UNCHANGED. This is not done]
[automatically because of the potential for mail loops. ]
Synopsis: Potential group security hole with suexec
State-Changed-From-To: open-closed
State-Changed-By: brian
State-Changed-When: Tue May 19 21:48:27 PDT 1998
State-Changed-Why:
yeah, better never than late, eh? :)
To be honest I don't see the security hole present here.
The whole point of suexec is to put the same protections
around the CGI that Unix puts around its users. A poorly
written and exploitable CGI, under suexec, can do as much
damage to the OS as the user whose userid it runs under can
also do. This is not a chroot jail and doesn't try to be.
If we were to implement a warning or check, chances are the
volume of bug reports we'd get about it would overwhelm us,
as everyone testing "suexec" for the first time will be someone
who has wheel group membership (etc.) since they had to become
root to install suexec.
Thanks for the note, though, it was good food for thought.
Re: suexec/1001: Potential group security hole with suexec
Posted by Patrick Rigney <pa...@evocative.com>.
brian@hyperreal.org wrote:
>
> [In order for any reply to be added to the PR database, ]
> [you need to include <ap...@Apache.Org> in the Cc line ]
> [and leave the subject line UNCHANGED. This is not done]
> [automatically because of the potential for mail loops. ]
>
> Synopsis: Potential group security hole with suexec
>
> State-Changed-From-To: open-closed
> State-Changed-By: brian
> State-Changed-When: Tue May 19 21:48:27 PDT 1998
> State-Changed-Why:
> yeah, better never than late, eh? :)
>
> To be honest I don't see the security hole present here.
> The whole point of suexec is to put the same protections
> around the CGI that Unix puts around its users. A poorly
> written and exploitable CGI, under suexec, can do as much
> damage to the OS as the user whose userid it runs under can
> also do. This is not a chroot jail and doesn't try to be.
>
> If we were to implement a warning or check, chances are the
> volume of bug reports we'd get about it would overwhelm us,
> as everyone testing "suexec" for the first time will be someone
> who has wheel group membership (etc.) since they had to become
> root to install suexec.
>
> Thanks for the note, though, it was good food for thought.
Brian, I understand and agree. I think it would be worth pointing out,
however, that the "Group" directive specified in the config file is, as
is generally the case but easily forgotten, a specification of the
primary group, and not necessarily all the groups to which a user may
belong. I'd rather have seen it in the documentation and kick myself
for not paying attention than see it in a CERT advisory.
Thanks for the note.
Patrick