You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Alexander Kolesnik <ap...@abisoft.biz> on 2005/05/20 11:27:01 UTC
[users@httpd] suexec improvement suggestion
Hello All,
Here is a brief of the problem:
---
http://issues.apache.org/bugzilla/show_bug.cgi?id=34863
There is a real problem if one needs to set for a certain CGI-script
permissions as REMOTE_USER has on the system.
This happens, for example, if we need to organize web access to a CVS
repositary that stores projects of several groups of users and we
don't want a user of project1 could access files from project2.
I'd suggest to add a configuration keyword for VirtualHost section (or
the whole server) that'd switch suexec mode from the original to the
'REMOTE_USER' one.
---
However, Apache developers did not agree with me and suggested to use
a separate tool. Unfortunately, the tool I found (securecgi) works
very bad with cvsweb.pl script and causes memory leaks in Apache
(2.0.x) from time to time, so I had to limit MaxRequestsPerChild to 1.
I accumulated pros (from my point of view) and cons (from Apache
developers point of view) for implementing this feature inside Apache
rather than using a separate tool. Here they are:
Pros:
1. Ability to give access to user files on server via the web
interface (easy work with CVS, etc)
2. No separate buggy tools - feature supported by Apache and bugs are
fixed in short time.
3. No problem with security if it proper tuned and SSL is used (see
cons #1)
Cons:
1. By default it opens a security hole (running "as" remote_user
implies authenticating as a system user; combining that with the
insecurity of HTTP basic authentication allows passwords give away)
2. People might use it without SSL and the headlines will be about big
security holes in Apache.
So, I ask you, people, to tell what do you think about this feature.
Does anybody (besides me) need it? What other cons do you see?
I hope if there would be many people needing this feature, Apache
developers insert it into their to-do list.
Thank you.
--
Best regards,
Alexander
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: Re[4]: [users@httpd] suexec improvement suggestion
Posted by Joshua Slive <js...@gmail.com>.
On 5/20/05, Alexander Kolesnik <ap...@abisoft.biz> wrote:
> >> Could you please tell what security implications do you mean? And
> >> what's the difference between original suexec's security and the one I
> >> suggested?
>
> > I can't say that I'm a real expert here either, but one important
> > issue is that you would need to remove an suexec security check:
> > suexec runs files only under the userid of their owner. Removing
> > this check wouldn't automatically lead to a problem -- you'd still
> > need to compromise the httpd user -- buy it gets you one step closer.
>
> I don't see problems here if suexec will extend this restriction to
> any non-root user (or any non-special user, like bin, etc). If you see
> them, please, tell me.
Let's put it this way: If you compromise the httpd user, you can then
run any httpd/suexec-accessible program under any userid (other than
root). That is really only a half-step away from root privileges.
(One thing people often fail to consider is that suexec is an ordinary
binary that can be run from the command line, not only from within
httpd. Many of the security checks are designed to prevent it from
being abused from the command line.)
> As far as I understand, this improvemnt will not affect suexec's
> simplicity and security.
If you made it a configurable option, it would certainly make suexec
more complex (as would any configuration). I think it should be
evident that it also removes a major security check.
Joshua.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re[4]: [users@httpd] suexec improvement suggestion
Posted by Alexander Kolesnik <ap...@abisoft.biz>.
>> Could you please tell what security implications do you mean? And
>> what's the difference between original suexec's security and the one I
>> suggested?
> I can't say that I'm a real expert here either, but one important
> issue is that you would need to remove an suexec security check:
> suexec runs files only under the userid of their owner. Removing
> this check wouldn't automatically lead to a problem -- you'd still
> need to compromise the httpd user -- buy it gets you one step closer.
I don't see problems here if suexec will extend this restriction to
any non-root user (or any non-special user, like bin, etc). If you see
them, please, tell me.
As far as I understand, this improvemnt will not affect suexec's
simplicity and security.
--
Best regards,
Alexander
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: Re[2]: [users@httpd] suexec improvement suggestion
Posted by Joshua Slive <js...@gmail.com>.
On 5/20/05, Alexander Kolesnik <ap...@abisoft.biz> wrote:
> Hello Joshua,
>
> Friday, May 20, 2005, 6:16:25 PM, you wrote:
>
> > (Even if you do have the knowledge to impliment this, you still may
> > not have the knowledge to understand the security implications, so you
> > probably still shouldn't do it.)
>
> Could you please tell what security implications do you mean? And
> what's the difference between original suexec's security and the one I
> suggested?
I can't say that I'm a real expert here either, but one important
issue is that you would need to remove an suexec security check:
suexec runs files only under the userid of their owner. Removing
this check wouldn't automatically lead to a problem -- you'd still
need to compromise the httpd user -- buy it gets you one step closer.
In general, you'd be surprised at how many different people file bugs
asking for suexec restrictions to be relaxed in various ways. But the
point of suexec is to be simple and secure. Relaxing these
restrictions -- even on a compile-time configurable basis -- would
certainly kill the "simple" part, and quite possibly the "secure" part
as well.
Joshua.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re[2]: [users@httpd] suexec improvement suggestion
Posted by Alexander Kolesnik <ap...@abisoft.biz>.
Hello Joshua,
Friday, May 20, 2005, 6:16:25 PM, you wrote:
> (Even if you do have the knowledge to impliment this, you still may
> not have the knowledge to understand the security implications, so you
> probably still shouldn't do it.)
Could you please tell what security implications do you mean? And
what's the difference between original suexec's security and the one I
suggested?
--
Best regards,
Alexander
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] suexec improvement suggestion
Posted by Joshua Slive <js...@gmail.com>.
On 5/20/05, Alexander Kolesnik <ap...@abisoft.biz> wrote:
> So, I ask you, people, to tell what do you think about this feature.
> Does anybody (besides me) need it? What other cons do you see?
> I hope if there would be many people needing this feature, Apache
> developers insert it into their to-do list.
This is not a very friendly answer, but I think it is the best one:
This is something you could probably impliment with a couple hours
work of hacking suexec.c. If you don't have the knowledge to do that,
then you probably also don't have the knowledge to understand all the
security implications involved and hence shouldn't be doing it anyway.
So that fact that it isn't already implimented provides a good filter
against people shooting themselves in the foot.
(Even if you do have the knowledge to impliment this, you still may
not have the knowledge to understand the security implications, so you
probably still shouldn't do it.)
Joshua.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org