You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@httpd.apache.org by Simon Huggins <hu...@earth.li> on 2000/01/29 00:07:23 UTC

[PATCH] mod_include 1.3.x - limiting EXEC to a certain directory

Hi,

A while ago (just before the new year) I wrote a patch for Apache 1.3.9
to limit executable includes to one directory (or any directories off
that).

The rationale was that we (Black Cat Networks) wanted to allow people to
include *our* scripts in a specific directory but didn't want people to
include random executables on our system.

I've attached the patch against 1.3.9 but since I have had lots of other
things to think about (like uni exams) I haven't got around to looking
at any newer versions of Apache.

If people like the idea then it should (hopefully) be trivial to port to
newer versions and I will be glad to do this.

We've been running this patch on our server for almost a month now and
we've not had any problems.

I'd appreciate it if people would look it over from a security viewpoint
though since this is my first Apache patch and I don't claim to know the
API that well.


What it does:

It adds a TrustedIncludesDir directive which takes a directory as a
parameter and then when you specify +IncludesNOEXEC it will allow
execution of scripts if and only if they are in that directory.

In order to get the old behaviour of +IncludesNOEXEC just don't specify
that directive.

We have /include aliased to /home/www/ssi/ and then specify
TrustedIncludesDir /home/www/ssi


All comments, flames, etc. appreciated.


Simon.
-- 
UK based domain, email and web hosting ***/       "If this is monkey pee /*
http://www.blackcatnetworks.co.uk/     **/       you're on your own." - /**
sales@blackcatnetworks.co.uk           */                       Scully /***
Black Cat Networks                     /                              /****

Re: [PATCH] mod_include 1.3.x - limiting EXEC to a certain directory

Posted by Marc Slemko <ma...@znep.com>.

On Fri, 28 Jan 2000, Simon Huggins wrote:

> Hi,
> 
> A while ago (just before the new year) I wrote a patch for Apache 1.3.9
> to limit executable includes to one directory (or any directories off
> that).
> 
> The rationale was that we (Black Cat Networks) wanted to allow people to
> include *our* scripts in a specific directory but didn't want people to
> include random executables on our system.

Why not just use IncludesNoEXEC then tell your users to "include
virtual" something in a ScriptAliased directory?

IncludesNoEXEC allows that just fine.  All it prevents is the user
executing things that wouldn't normally be treated as CGIs.  Yes,
there is a longstanding bug that makes it not work in non-ScriptAliased
directories.