You are viewing a plain text version of this content. The canonical link for it is here.
Posted to apache-bugdb@apache.org by Marc Slemko <ma...@znep.com> on 1997/07/26 10:50:02 UTC
Re: suexec/921: Uses cwd before filling it in, doesn't use syslog (fwd)
The following reply was made to PR suexec/921; it has been noted by GNATS.
From: Marc Slemko <ma...@znep.com>
To: apbugs@apache.org
Subject: Re: suexec/921: Uses cwd before filling it in, doesn't use syslog (fwd)
Date: Sat, 26 Jul 1997 02:47:25 -0600 (MDT)
This message is in MIME format. The first part should be readable text,
while the remaining parts are likely unreadable without MIME-aware tools.
Send mail to mime@docserver.cac.washington.edu for more info.
--==_Exmh_16382602920
Content-Type: TEXT/PLAIN; CHARSET=us-ascii
Content-ID: <Pi...@alive.znep.com>
---------- Forwarded message ----------
Date: Sat, 26 Jul 1997 04:35:50 -0400
From: Jason Riedy <ej...@cise.ufl.edu>
To: Marc Slemko <ma...@hyperreal.org>
Subject: Re: suexec/921: Uses cwd before filling it in, doesn't use syslog
Oh well. And Marc Slemko writes:
- The references to cwd before it is set are in error, however
- the getcwd() is after the setuid() on purpose due to issues
- with NFS mapping root --> nobody. The fix will probably involve
- changing the uses of cwd before it is set.
Good point. It doesn't matter in our application... The server's
already running as nobody, so nobody must already have enough access
to the directory for a cwd. I can see alternate setups, though.
Replacing the cwd() with getenv("SCRIPT_FILENAME") should work
up until you really need the cwd(). Actually, that even gives a
nicer filename with automounters. I've attached a patch against the
original suexec for only the cwd() thing. It'd be possible to use
the script's filename even after getting the cwd(), but...
- I see nothing wrong with the *printf*'s you claimed were a problem. They
- are not printing to a string, but to a file descriptor
- so there is no buffer to overflow.
I don't trust Solaris's file buffers and printf implementation. ;)
We've been able to trivially overflow too many pieces of their code.
And 2.6 still has the output of mount reversed (mount-point on device);
that doesn't raise my confidence level.
The snprintfs don't really hurt anything.
- We will consider if we want to include some form of your
- syslog modifications.
yeah!
I had to add them locally to meet our security policies (duplicate,
non-local logs for most suid apps), so I thought I'd pass them along.
Jason, who really will go back to working on his thesis soon...
--==_Exmh_16382602920
Content-Type: TEXT/PLAIN; NAME="suexec.patch.2"; CHARSET=us-ascii
Content-ID: <Pi...@alive.znep.com>
Content-Description: Pure cwd patch...
--- suexec.c.orig Sat Jul 26 04:21:54 1997
+++ suexec.c Sat Jul 26 04:23:25 1997
@@ -222,4 +222,5 @@
char *prog; /* name of this program */
char *cmd; /* command to be executed */
+ char *script_filename; /* SCRIPT_FILENAME CGI environment var */
char cwd[AP_MAXPATH]; /* current working directory */
char dwd[AP_MAXPATH]; /* docroot working directory */
@@ -324,8 +325,9 @@
* before we setuid().
*/
+ script_filename = getenv ("SCRIPT_FILENAME");
log_err("uid: (%s/%s) gid: (%s/%s) %s\n",
target_uname, actual_uname,
target_gname, actual_gname,
- cmd);
+ script_filename);
/*
@@ -356,5 +358,5 @@
*/
if (((setgid(gid)) != 0) || (initgroups(actual_uname,gid) != 0)) {
- log_err("failed to setgid (%ld: %s/%s)\n", gid, cwd, cmd);
+ log_err("failed to setgid (%ld: %s)\n", gid, script_filename);
exit(109);
}
@@ -364,5 +366,5 @@
*/
if ((setuid(uid)) != 0) {
- log_err("failed to setuid (%ld: %s/%s)\n", uid, cwd, cmd);
+ log_err("failed to setuid (%ld: %s)\n", uid, script_filename);
exit(110);
}
--==_Exmh_16382602920--