You are viewing a plain text version of this content. The canonical link for it is here.
Posted to docs@httpd.apache.org by Colm MacCarthaigh <co...@stdlib.net> on 2003/09/01 14:09:03 UTC
clean up suexec doc
Summary; Change the list of list of checks in the security model
to more accurately reflect what happens, and in the
correct order. Also fix the default locations, and add
a subsection about setting paranoid permissions.
Index: manual/suexec.html.en
===================================================================
RCS file: /home/cvspublic/httpd-2.0/docs/manual/suexec.html.en,v
retrieving revision 1.47
diff -u -r1.47 suexec.html.en
--- manual/suexec.html.en 25 Jul 2003 18:31:25 -0000 1.47
+++ manual/suexec.html.en 1 Sep 2003 12:01:47 -0000
@@ -124,6 +124,16 @@
<ol>
<li>
+ <strong>Is the user executing this wrapper a valid user of
+ this system?</strong>
+
+ <p class="indent">
+ This is to ensure that the user executing the wrapper is
+ truly a user of the system.
+ </p>
+ </li>
+
+ <li>
<strong>Was the wrapper called with the proper number of
arguments?</strong>
@@ -138,16 +148,6 @@
</li>
<li>
- <strong>Is the user executing this wrapper a valid user of
- this system?</strong>
-
- <p class="indent">
- This is to ensure that the user executing the wrapper is
- truly a user of the system.
- </p>
- </li>
-
- <li>
<strong>Is this valid user allowed to run the
wrapper?</strong>
@@ -244,11 +244,12 @@
</li>
<li>
- <strong>Does the directory in which the target CGI/SSI program
- resides exist?</strong>
+ <strong>Can we change directory to the one in which the target CGI/SSI program
+ resides?</strong>
<p class="indent">
- If it doesn't exist, it can't very well contain files.
+ If it doesn't exist, it can't very well contain files. If we can't
+ change directory to it, it might aswell not exist.
</p>
</li>
@@ -443,10 +444,10 @@
<div class="example"><p><code>
suEXEC setup:<br />
- suexec binary: /usr/local/apache/sbin/suexec<br />
- document root: /usr/local/apache/share/htdocs<br />
+ suexec binary: /usr/local/apache2/sbin/suexec<br />
+ document root: /usr/local/apache2/share/htdocs<br />
userdir suffix: public_html<br />
- logfile: /usr/local/apache/var/log/suexec_log<br />
+ logfile: /usr/local/apache2/var/log/suexec_log<br />
safe path: /usr/local/bin:/usr/bin:/bin<br />
caller ID: www<br />
minimum user ID: 100<br />
@@ -463,13 +464,40 @@
command "make install" to install them. The binary image
"suexec" is installed in the directory defined by the --sbindir
option. Default location is
- "/usr/local/apache/sbin/suexec".<br />
+ "/usr/local/apache2/sbin/suexec".<br />
Please note that you need <strong><em>root
privileges</em></strong> for the installation step. In order
for the wrapper to set the user ID, it must be installed as
owner <code><em>root</em></code> and must have the setuserid
execution bit set for file modes.</p>
+ <p><strong>Setting paranoid permissions</strong><br />
+ Allthough the suexec wrapper will check to ensure that its
+ caller is the correct user as specified with the
+ "--with-suexec-caller" configure option, there is always the
+ possiblity that a system or library call suexec uses before
+ this check may be exploitable on your system. To counter this,
+ and because it is best-practise in general, you should use
+ filesystem permissions to ensure that only the group apache
+ runs as may execute suexec.</p>
+
+ <p>If for example, your webserver is configured to run as;</p>
+
+<div class="example"><p><code>
+ User www<br />
+ Group webgroup<br />
+</code></p></div>
+
+ <p>and suexec is installed at "/usr/local/apache2/sbin/suexec", you
+ should run:</p>
+
+<div class="example"><p><code>
+ chgrp webgroup /usr/local/apache2/bin/suexec<br />
+ chmod 4750 /usr/local/apache2/bin/suexec<br />
+</code></p></div>
+
+ <p>This will ensure that only the group apache runs as can even
+ execute the suexec wrapper.</p>
</div><div class="top"><a href="#page-header"><img alt="top" src="./images/up.gif" /></a></div>
<div class="section">
<h2><a name="enable" id="enable">Enabling & Disabling
Index: manual/suexec.xml
===================================================================
RCS file: /home/cvspublic/httpd-2.0/docs/manual/suexec.xml,v
retrieving revision 1.9
diff -u -r1.9 suexec.xml
--- manual/suexec.xml 25 Jul 2003 18:31:25 -0000 1.9
+++ manual/suexec.xml 1 Sep 2003 12:01:47 -0000
@@ -96,6 +96,16 @@
<ol>
<li>
+ <strong>Is the user executing this wrapper a valid user of
+ this system?</strong>
+
+ <p class="indent">
+ This is to ensure that the user executing the wrapper is
+ truly a user of the system.
+ </p>
+ </li>
+
+ <li>
<strong>Was the wrapper called with the proper number of
arguments?</strong>
@@ -110,16 +120,6 @@
</li>
<li>
- <strong>Is the user executing this wrapper a valid user of
- this system?</strong>
-
- <p class="indent">
- This is to ensure that the user executing the wrapper is
- truly a user of the system.
- </p>
- </li>
-
- <li>
<strong>Is this valid user allowed to run the
wrapper?</strong>
@@ -216,11 +216,12 @@
</li>
<li>
- <strong>Does the directory in which the target CGI/SSI program
- resides exist?</strong>
+ <strong>Can we change directory to the one in which the target CGI/SSI program
+ resides?</strong>
<p class="indent">
- If it doesn't exist, it can't very well contain files.
+ If it doesn't exist, it can't very well contain files. If we can't
+ change directory to it, it might aswell not exist.
</p>
</li>
@@ -416,10 +417,10 @@
<example>
suEXEC setup:<br />
- suexec binary: /usr/local/apache/sbin/suexec<br />
- document root: /usr/local/apache/share/htdocs<br />
+ suexec binary: /usr/local/apache2/sbin/suexec<br />
+ document root: /usr/local/apache2/share/htdocs<br />
userdir suffix: public_html<br />
- logfile: /usr/local/apache/var/log/suexec_log<br />
+ logfile: /usr/local/apache2/var/log/suexec_log<br />
safe path: /usr/local/bin:/usr/bin:/bin<br />
caller ID: www<br />
minimum user ID: 100<br />
@@ -436,13 +437,40 @@
command "make install" to install them. The binary image
"suexec" is installed in the directory defined by the --sbindir
option. Default location is
- "/usr/local/apache/sbin/suexec".<br />
+ "/usr/local/apache2/sbin/suexec".<br />
Please note that you need <strong><em>root
privileges</em></strong> for the installation step. In order
for the wrapper to set the user ID, it must be installed as
owner <code><em>root</em></code> and must have the setuserid
execution bit set for file modes.</p>
+ <p><strong>Setting paranoid permissions</strong><br />
+ Allthough the suexec wrapper will check to ensure that its
+ caller is the correct user as specified with the
+ "--with-suexec-caller" configure option, there is always the
+ possiblity that a system or library call suexec uses before
+ this check may be exploitable on your system. To counter this,
+ and because it is best-practise in general, you should use
+ filesystem permissions to ensure that only the group apache
+ runs as may execute suexec.</p>
+
+ <p>If for example, your webserver is configured to run as;</p>
+
+<example>
+ User www<br />
+ Group webgroup<br />
+</example>
+
+ <p>and suexec is installed at "/usr/local/apache2/sbin/suexec", you
+ should run:</p>
+
+<example>
+ chgrp webgroup /usr/local/apache2/bin/suexec<br />
+ chmod 4750 /usr/local/apache2/bin/suexec<br />
+</example>
+
+ <p>This will ensure that only the group apache runs as can even
+ execute the suexec wrapper.</p>
</section>
<section id="enable"><title>Enabling & Disabling
--
Colm MacCárthaigh Public Key: colm+pgp@stdlib.net
colm@stdlib.net http://www.stdlib.net/
---------------------------------------------------------------------
To unsubscribe, e-mail: docs-unsubscribe@httpd.apache.org
For additional commands, e-mail: docs-help@httpd.apache.org