You are viewing a plain text version of this content. The canonical link for it is here.

Posted to apache-bugdb@apache.org by Bram Kivenko <br...@xspace.com> on 1997/11/01 14:27:39 UTC

suexec/1346: questionable user promotion

>Number:         1346
>Category:       suexec
>Synopsis:       questionable user promotion
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    apache
>State:          open
>Class:          sw-bug
>Submitter-Id:   apache
>Arrival-Date:   Sat Nov  1 05:30:00 PST 1997
>Last-Modified:
>Originator:     bram@xspace.com
>Organization:
apache
>Release:        ALL
>Environment:
all UNIX flavours
>Description:
When executing CGIs/SSIs, there is a somewhat insecure method of user
promotion.

(a) CGI's exhibit user promotion
(b) SSI's/scripts may not.
(c) the permissions are determined by file location.
>How-To-Repeat:
execute a binary CGI, a shell script CGI, and an SSI.
>Fix:
<SUEXEC FIX>
The user promotion should always go to the OWNER of the file.  Or at least this 
should be a configurable option.  There could be a configurable exception for 
files owned by root.

<APACHE FIX>
The biggest problem though is that any executed file should be executed via 
suexec if it is enabled, there should be no exceptions to that rule.

<APACHE FIX>
As a sidenote, if the server is not executing as root, it may not be able to
setrlimits correctly, consequently files not executed through suexec may run
out of control.
%0
>Audit-Trail:
>Unformatted: