You are viewing a plain text version of this content. The canonical link for it is here.
Posted to apache-bugdb@apache.org by Bram Kivenko <br...@xspace.com> on 1997/11/01 14:27:39 UTC
suexec/1346: questionable user promotion
>Number: 1346
>Category: suexec
>Synopsis: questionable user promotion
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: apache
>State: open
>Class: sw-bug
>Submitter-Id: apache
>Arrival-Date: Sat Nov 1 05:30:00 PST 1997
>Last-Modified:
>Originator: bram@xspace.com
>Organization:
apache
>Release: ALL
>Environment:
all UNIX flavours
>Description:
When executing CGIs/SSIs, there is a somewhat insecure method of user
promotion.
(a) CGI's exhibit user promotion
(b) SSI's/scripts may not.
(c) the permissions are determined by file location.
>How-To-Repeat:
execute a binary CGI, a shell script CGI, and an SSI.
>Fix:
<SUEXEC FIX>
The user promotion should always go to the OWNER of the file. Or at least this
should be a configurable option. There could be a configurable exception for
files owned by root.
<APACHE FIX>
The biggest problem though is that any executed file should be executed via
suexec if it is enabled, there should be no exceptions to that rule.
<APACHE FIX>
As a sidenote, if the server is not executing as root, it may not be able to
setrlimits correctly, consequently files not executed through suexec may run
out of control.
%0
>Audit-Trail:
>Unformatted: