You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by zeno <ze...@cgisecurity.net> on 2002/11/06 20:48:36 UTC

Re: [users@httpd] Apache permission problem: No fix planned in

> 
> On Wed, 6 Nov 2002, Rich Bowen wrote:
> 
> > On Wed, 6 Nov 2002, zeno wrote:
> >
> > >  Hello,
> > >
> > >  I noticed a permission issue in apache when dealing with modules. I recently
> > >  installed mod_proxy on apache 1.3.27 and setup caching of requested documents. I noticed
> >
> > After extensive discussion on IRC, it appears that this security concern
> > can be "fixed in documentation" to zeno's satisfaction. I'll be taking
> > care of that this evening.
> 
> Just for the record, here's the proposed patch, which would go into the
> security tips document.
> 
> 'embedded scripting options which run as part of the server itself, such
> as mod_php, mod_perl, mod_tcl, and mod_python, run under the identify of
> the server itself, and therefore scripts executed by these engines
> potentially can access anything the server user can.  some scripting
> engines may provide restrictions, but it is better to be safe and assume
> not.'
> 
> Note that my alternate proposed patch was:


I was originally trying to say no clear documentation existed on this,
but more importantly no documention explained how to get around this for those who looked for it.
Perhaps adding 

"Since these third party modules may not have
wrapper like programs, you may want to look into using cgiwrap, or other wrapper programs like bla, etc..."

You figure people who don't have much apache experience won't know they all run as the same. Then even
if they did, nothing mentions how to get around it when dealing with embedded scripting options. Originally
I was pointed to the suexec pages which covered wrapping, but not about this subject. Looks like the emails
apache and myself exchanged where a tad confusing for us both. I happened to find some people on irc
and everything is dandy now.





> 
>  "note that third party modules can do whatever the hell they want, and
>  are therefore a festering source of bugs, security holes, and general
>  nastiness."
> 
> Along with, perhaps:
> 
>  "Third party module may be written by any self-styled programmer who
>  bought an "in 24 hours" book on amazon.com. Note that they may be less
>  competent than your pet weasel. We disclaim all responsibility for
>  their code."
> 
> but I was overruled by various voices of sanity.
> 
> 
> -- 
> Who can say where the road goes
> Where the day flows
> Only time
>  --Pilgrim (Enya - A Day Without Rain)
> 


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org