You are viewing a plain text version of this content. The canonical link for it is here.
Posted to bugs@httpd.apache.org by bu...@apache.org on 2004/04/24 17:51:52 UTC
DO NOT REPLY [Bug 28567] New: -
overly restrictive suexec makes for inflexible mass hosting security
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=28567>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND
INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=28567
overly restrictive suexec makes for inflexible mass hosting security
Summary: overly restrictive suexec makes for inflexible mass
hosting security
Product: Apache httpd-2.0
Version: 2.0.49
Platform: All
URL: http://www.dollardns.net
OS/Version: Linux
Status: NEW
Severity: Normal
Priority: Other
Component: support
AssignedTo: bugs@httpd.apache.org
ReportedBy: apache@dollardns.net
suexec checks to make sure that both the target uid AND gid matches the
directory and program uid and gui. This is unnecessary, only the uid match
check should be performed. An apache server can be made more secure if the
entire /var/www/html/ directory and files belongs under the group apache runs
as. Each /var/www/html/user/ directory and files belongs under the client
user. No execute or write access is allowed to anybody but the user. No read
access is allowed to anybody but the user and group. SuexecUserGroup is set to
the user and the client group - NOT the group apache runs as. This way the
user scripts cannot even read files in other user's directories, but apache can.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org