You are viewing a plain text version of this content. The canonical link for it is here.

Posted to bugs@httpd.apache.org by bu...@apache.org on 2004/04/24 17:51:52 UTC

DO NOT REPLY [Bug 28567] New: - overly restrictive suexec makes for inflexible mass hosting security

DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG 
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=28567>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND 
INSERTED IN THE BUG DATABASE.

http://issues.apache.org/bugzilla/show_bug.cgi?id=28567

overly restrictive suexec makes for inflexible mass hosting security

           Summary: overly restrictive suexec makes for inflexible mass
                    hosting security
           Product: Apache httpd-2.0
           Version: 2.0.49
          Platform: All
               URL: http://www.dollardns.net
        OS/Version: Linux
            Status: NEW
          Severity: Normal
          Priority: Other
         Component: support
        AssignedTo: bugs@httpd.apache.org
        ReportedBy: apache@dollardns.net


suexec checks to make sure that both the target uid AND gid matches the 
directory and program uid and gui.  This is unnecessary, only the uid match 
check should be performed.  An apache server can be made more secure if the 
entire /var/www/html/ directory and files belongs under the group apache runs 
as.  Each /var/www/html/user/ directory and files belongs under the client 
user.  No execute or write access is allowed to anybody but the user.  No read 
access is allowed to anybody but the user and group.  SuexecUserGroup is set to 
the user and the client group - NOT the group apache runs as.  This way the 
user scripts cannot even read files in other user's directories, but apache can.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org