You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@httpd.apache.org by Rob Hartill <ro...@imdb.com> on 1996/06/11 06:55:58 UTC
Re: suggestions (fwd)
This one I acked.
I mentioned the setuid debate and the fact that it has little chance of
appearing in apache. His other suggestion is something we've agreed would
be useful - allowing CGI includes but not CMD. I last remember Andy talking
about extending some variable to make room for more bits to record the
info. Did this ever get implemented?, I told him I'd try to revive the
idea.
Mail Michael if you have anything to add to this.
-=-=-=-
Date: Mon, 10 Jun 1996 23:34:08 -0500 (CDT)
From: Michael Douglass <mi...@texas.net>
To: Rob Hartill <ro...@imdb.com>
cc: apache-bugs@apache.org
Subject: Re: suggestions
In-Reply-To: <199606110420.WAA03475>
Message-ID: <Pi...@millenium.texas.net>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
On Mon, 10 Jun 1996, Rob Hartill wrote:
>
> >Ok, you let everyone know on your web page where to send bug reports; what
> >about where to send suggestions?
>
> A suggestion is just a bug that has yet to be implemented.
Hahaha... Hehehe... Good one, just don't tell microsoft that... Then they'll
start talking about all those sugestions people have for their products as
neat features... :)
> >I have a suggestion for some enhancements
> >to the apache web server in the mod_include module and would like to know
> >the correct place to send it.
>
> Here's fine.
Ok, this is not too much of a big deal; but it's something that I wrote
up back when we ran our web server as root. The first thing that came to
my mind was that the include statements would all run as root. Well, that
is not good. So what I did was I patched the server (back then it was NCSA)
to set all of the permissions to the users groups and user id. Then, and
only then would I execute the command they wanted executed. (Now mind you
we only let certain do exec-cmd includes anyways; but for those few, we
wanted to know that our security was not in any way compromised.) That
was no problem, and it was fairly easy to do. (Oh, and the way I determined
what user to use was also quite simple--take the user that owns the html
document. If you have a user with access to a web document owned by root,
that they can modify... then go ahead and eat your foot!)
That's one thing that I did. The second thing involved the idea of strictly
dening exec-cmds to everybody except a special few. Ok, so what about the
vast majority of people who can't exec something from their web page... How
do you handle something like counters? Well, the second patch/hack I did
was to allow a "Secure Exec" directory that anyone could execute programs
from. ie. I would setup a directory (say /home/www/secure-exec) and any
executables that I placed there could be executed by anyone; regardless of
whether or not they have exec permissions (INCLUDENOEXEC, or NOEXEC), they
would be able to execute programs found here, and thus be able to use programs
like system wide counters...
Now, back when this was on NCSA, I hacked it in so that it was a configurable
option because it was quite easy to do that... I have not taken the time to
do the config file reading from within Apache, but I don't think it should
be too hard. (Just call me lazy!)
I have included below a patch file that can be applied directly to 1.0.5's
mod_include.c to implement the above two concepts/ideas/suggestions. I know
that some of it could be written better; especially in the configuration part
since my patch forces you to hard code the information (ie. where is the
secureexec directory); and virtual web servers are forced to use the same
directory because of that (which has not been a problem to date).
One thing I do want to mention. Where I am having it work with the secure
exec directory, you will notice that I had to move the code that handles
the noexec case into the handle_exec function because we need to test to see
if it resides in the secure exec directory first as that overrides noexec.
If you have any questions on this code, please let me know and I'll try to
explain it further. I think that these patches will make real enhancements
to the usability of the Apache web server--especially the secure exec
functionality.
***************************************************************************
RCS file: RCS/mod_include.c,v
retrieving revision 1.1
diff -u -r1.1 mod_include.c
--- mod_include.c 1996/03/13 22:19:20 1.1
+++ mod_include.c 1996/06/11 04:08:55
@@ -69,6 +69,10 @@
#include "http_main.h"
#include "util_script.h"
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <pwd.h>
+
#define STARTING_SEQUENCE "<!--#"
#define ENDING_SEQUENCE "-->"
#define DEFAULT_ERROR_MSG "[an error occurred while processing this directive]"
@@ -427,6 +431,8 @@
FILE *dbg = fopen ("/dev/tty", "w");
#endif
char err_string [MAX_STRING_LEN];
+ struct stat fileStat;
+ struct passwd *pwent;
#ifdef DEBUG_INCLUDE_CMD
fprintf (dbg, "Attempting to include command '%s'\n", s);
@@ -458,6 +464,42 @@
fprintf (dbg, "Attempting to exec '%s'\n", s);
#endif
cleanup_for_exec();
+
+ if (stat (r->filename,&fileStat)) {
+ sprintf(err_string, "httpd: could not stat %s, errno is %d\n",
+ r->filename,errno);
+ write (2, err_string, strlen(err_string));
+ exit(0);
+ }
+
+ if (! (pwent = getpwuid(fileStat.st_uid)) ) {
+ sprintf(err_string, "httpd: could not find uid %d in /etc/passwd\n",
+ fileStat.st_uid);
+ write (2, err_string, strlen(err_string));
+ exit(0);
+ }
+
+ if (initgroups(pwent->pw_name,pwent->pw_gid) < 0) {
+ sprintf(err_string, "httpd: could not initgroups() for uid %d\n",
+ fileStat.st_uid);
+ write (2, err_string, strlen(err_string));
+ exit(0);
+ }
+
+ if (setgid(fileStat.st_gid)) {
+ sprintf(err_string, "httpd: could not setgid %d, errno is %d\n",
+ fileStat.st_gid,errno);
+ write (2, err_string, strlen(err_string));
+ exit(0);
+ }
+
+ if (setuid(fileStat.st_uid)) {
+ sprintf(err_string, "httpd: could not setuid %d, errno is %d\n",
+ fileStat.st_uid,errno);
+ write (2, err_string, strlen(err_string));
+ exit(0);
+ }
+
execle(SHELL_PATH, SHELL_PATH, "-c", s, NULL,
create_environment (r->pool, env));
@@ -491,18 +533,25 @@
return 0;
}
+#define SECURE_EXEC "/www/exec/lonestar/"
int handle_exec(FILE *in, request_rec *r, char *error)
{
char tag[MAX_STRING_LEN];
char *tag_val;
char *file = r->filename;
+ int noexec = allow_options (r) & OPT_INCNOEXEC;
while(1) {
if(!(tag_val = get_tag (r->pool, in, tag, MAX_STRING_LEN, 1)))
return 1;
if(!strcmp(tag,"cmd")) {
- if(include_cmd(tag_val, r) == -1) {
+ if(strncmp(SECURE_EXEC,tag_val,strlen(SECURE_EXEC)) && noexec) {
+ log_printf(r->server, "httpd: exec used but not allowed in %s",
+ r->filename);
+ rprintf(r,"%s",error);
+ return (find_string(in,ENDING_SEQUENCE,NULL));
+ } else if(include_cmd(tag_val, r) == -1) {
log_printf(r->server, "failed command exec %s in %s",
tag_val, file);
rprintf(r,"%s",error);
@@ -706,6 +755,8 @@
if(get_directive(f,directive))
return;
if(!strcmp(directive,"exec")) {
+ ret=handle_exec(f, r, error);
+/*
if(noexec) {
log_printf(r->server,
"httpd: exec used but not allowed in %s",
@@ -714,6 +765,7 @@
ret = find_string(f,ENDING_SEQUENCE,NULL);
} else
ret=handle_exec(f, r, error);
+*/
}
else if(!strcmp(directive,"config"))
ret=handle_config(f, r, error, timefmt, &sizefmt);
***************************************************************************
Michael Douglass
Texas Networking, Inc.
"To be a saint is to be an exception; to be a true man is the rule.
Err, fail, sin if you must, but be upright. To sin as little as
possible is the law for men; to sin not at all is a dream for angels."
- Victor Hugo, "Les Miserables"
----- End of forwarded message from Michael Douglass -----