You are viewing a plain text version of this content. The canonical link for it is here.
Posted to apache-bugdb@apache.org by Rob Saccoccio <ro...@InfiniteTechnology.com> on 1998/07/10 05:41:11 UTC
general/2580: CGI/
>Number: 2580
>Category: general
>Synopsis: CGI/
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: apache
>State: open
>Class: sw-bug
>Submitter-Id: apache
>Arrival-Date: Thu Jul 9 20:50:00 PDT 1998
>Last-Modified:
>Originator: robs@InfiniteTechnology.com
>Organization:
apache
>Release: 1.3.0
>Environment:
All Unix variants
>Description:
Some consideration should be given to the use of initgroups() in
set_group_privs() with MULTIPLE_GROUPS undefined by default.
With MULTIPLE_GROUPS undefined, an attempt to execute a script which
is group executable and whose group is not that used for the setgid()
but is in the supplementary group list will fail do to permissions
checks in ap_can_exec(). A CGI script can be written which exploits
the permissions available to the groups in the script�s supplementary
groups. This, of course, could include programs that are setuid.
Although this is basically "normal" behavior, the effect of
MULTIPLE_GROUPS being undefined (by default) is not. It is odd and
misleading: a CGI script which can't be exec'd by Apache, can be
exec'd by another script which was exec'd by Apache.
Of course this won�t effect most configurations (i.e. those which
choose appropriate uid/gids), but given Apache�s prevalence that
leaves lots of susceptible installations.
It�s probably not wise at this point to define MULTIPLE_GROUPS as
the default. Using setgroups() to set the supplementary group
list with just the one gid instead of using initgroups() (when
MULTIPLE_GROUPS is not defined) would be simple, safer, and not
effect existing installations (I can�t imagine anyone is making
use of supplementary groups without defining MULTIPLE_GROUPS).
PR#1001 addresses a related topic.
If you concur, I'll write a patch.
robs
>How-To-Repeat:
>Fix:
>Audit-Trail:
>Unformatted:
[In order for any reply to be added to the PR database, ]
[you need to include <ap...@Apache.Org> in the Cc line ]
[and leave the subject line UNCHANGED. This is not done]
[automatically because of the potential for mail loops. ]