You are viewing a plain text version of this content. The canonical link for it is here.
Posted to apache-bugdb@apache.org by Marc Slemko <ma...@znep.com> on 1998/05/07 22:40:00 UTC

Re: general/2202: .cgi programs in user directories run without suexec

The following reply was made to PR general/2202; it has been noted by GNATS.

From: Marc Slemko <ma...@znep.com>
To: "J. M. Hinkle" <jh...@rockisland.com>
Cc: Apache bugs database <ap...@apache.org>
Subject: Re: general/2202: .cgi programs in user directories run  without suexec
Date: Thu, 7 May 1998 14:23:41 -0600 (MDT)

 suexec sets things up so that CGIs run as a different user than what the
 web server runs as.  This is done through either virtualhosts with user
 and group directives or through ~userdir requests.
 
 Without suexec, the normal way to do things is that all CGIs are executed
 by the user the web server runs as.  This is perfectly acceptable in many
 environments and is not necessarily a security risk.  If people want
 ~userdir CGIs to run as the user instead, they have to use suexec.  If
 they don't, they don't run suexec and CGIs run as they always have on
 nearly every Unix web server in the history of the web.
 
 On Thu, 7 May 1998, J. M. Hinkle wrote:
 
 > At 04:52 PM 5/7/98 -0000, you wrote:
 > >
 > >Synopsis: .cgi programs in user directories run without suexec
 > 
 > >If it is enabled, they do.  If you think you have it
 > >enabled and they aren't, then you probably haven't
 > >configured it correctly.  Review the docs.
 > >
 > 
 > I realize you don't want to rehash stuff to a user, but are we
 > miscommunicating here? The point I was trying to make is that this Apache
 > will run user level .cgi programs whether or not suexec is even present,
 > much less configured correctly.  Isn't the point of suexec to protect the
 > system by conditionally running .cgi programs?
 > 
 > The upshot is that suexec does nothing, it is not needed to run user level
 > .cgi programs.  The inference I get from the docs is that is not the way
 > Apache is supposed to work.  
 > 
 > Now I'm really confused about why so much is made of suexec in the docs and
 > is provided.  .cgi programs in a user directory work without suexec being
 > even available to run.  How can suexec be "enabled" without even existing?
 > If you mean "ExecCGI" enabled, that is not present anywhere in these .conf
 > files, yet .cgi programs in a user directory run anyway.
 > 
 > I just thought this might be a serious security issue, but somehow I have
 > to refigure what is meant by that regarding .cgi programs in user
 > directories.  After using Apache for a year or so, and going over and over
 > the docs, what I read and what I see just don't match up.
 > 
 > Sorry to bother you.
 > 
 > jmh
 >