You are viewing a plain text version of this content. The canonical link for it is here.
Posted to apache-bugdb@apache.org by Brian Nelson <br...@earthlink.net> on 2000/12/06 17:10:05 UTC
Re: suexec/6933: suexec does not check cgi's from within the docroot
(blind execution)
The following reply was made to PR suexec/6933; it has been noted by GNATS.
From: Brian Nelson <br...@earthlink.net>
To: slive@apache.org
Cc: apbugs@apache.org
Subject: Re: suexec/6933: suexec does not check cgi's from within the docroot
(blind execution)
Date: Wed, 06 Dec 2000 09:59:20 -0500
slive@apache.org wrote:
>
> [In order for any reply to be added to the PR database, you need]
> [to include <ap...@Apache.Org> in the Cc line and make sure the]
> [subject line starts with the report component and number, with ]
> [or without any 'Re:' prefixes (such as "general/1098:" or ]
> ["Re: general/1098:"). If the subject doesn't match this ]
> [pattern, your message will be misfiled and ignored. The ]
> ["apbugs" address is not added to the Cc line of messages from ]
> [the database automatically because of the potential for mail ]
> [loops. If you do not include this Cc, your reply may be ig- ]
> [nored unless you are responding to an explicit request from a ]
> [developer. Reply only with text; DO NOT SEND ATTACHMENTS! ]
>
> Synopsis: suexec does not check cgi's from within the docroot (blind execution)
>
> State-Changed-From-To: open-closed
> State-Changed-By: slive
> State-Changed-When: Tue Dec 5 20:10:46 PST 2000
> State-Changed-Why:
>
> Yes, the suexec docs are a little sketchy. However,
> what you are asking for does not make any sense.
> If the request is for the main server, not under
> any vhost, then what user and group would suexec
> change to? (That is a rhetorical question ;-)
>
> If you to use suexec on the main server, you should
> configure a vhost to catch requests for the main
> server and place the appropriate User and Group
> directive in the vhost.
>
> Thanks for using Apache.
It makes sense to me *grin*. In my senerio, I am the admin for the
server only, not content. The server runs as websrv. There are several
vhosts, as well as many userdir pages. But, there is still one 'main'
page for the site (docroot), which is maintained by other various random
persons (not me). The main docroot is owned by webadmin. (therfore
someone else than the server is running). As the admin, I want the
security feature of suexec for _all_ cgi, as i am very afraid of
whatever crazy ideas the users may come up with in their code. The
docroot would be included since it is maintained by others. What is can
do is probablly just convert the docroot into a vhost like you said, and
it should work find. In theory though, even if the docroot and httpd
were owned by the same person, it would be nice to have suexec do the
sanity checks against the cgi, even if it dosnt end up suing to anyone
different.
Just a thought :)