You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@httpd.apache.org by Randy Terbush <ra...@zyzzyva.com> on 1996/06/02 19:23:13 UTC

Re: setuid control WITHOUT running as root 

> Comments on first glance ---
> 
> 1) The patch, as you distributed it, conflates the CGI-wrapper stuff
>    with a few other changes --- in particular, allowing nonexistent
>    DocumentRoots for virtual servers, and your ConfigDir patch.  I
>    think there's consensus that it would be a good idea to have both
>    these things in a future release, but not yet on the exact form
>    which they should take, so it would probably be best, for the moment,
>    to consider them independantly.

Understood. 'cvs diff' is very handy, and in this case cannot be
edited from the patch. Depending on what happens with those patches
I have already submitted, I can send a cleaner patch.

> 2) The is_scriptaliased business really is CGI-specific, and probably
>    should stay with mod_cgi.  (Actually, it should really just be
>    trashed in favor of something handler-based, but as long as the
>    ugliness is there, it probably ought to be as far from the server
>    core as possible).  Consolidating some of the other error checks,
>    however, is probably a good idea.

For some reason I moved it, but it can easily be moved back.

> 3) As I read the code, there's no way to bypass the sucgi wrapper,
>    even for sites that don't want uid-flipping behavior.  I'm less
>    concerned about overhead here than about just plain ol' complexity
>    of installation and site maintenance --- it's one more binary that
>    you gotta install, and the server itself has to know where to find
>    it, which is a bit of a pain in the neck for people who don't need
>    the functionality.

Agreed. I mainly wanted feedback on how the group felt it best to
accomplish this. 

	* By turning off the suid bit on the wrapper?
	* By an execution flag?
	* Compile time option?


> 4) Unfortunately, looking over the wrapper itself, if you do install
>    it with the suid bit on, I do see a problem --- if you can get a
>    process running as 'www', and this wrapper has been installed
>    suid-root, you can then run the wrapper yourself with argv[1] of
>    root and wreak your will.  Possible ways of getting such a process
>    include *non*-suid CGI, and putting a trojan-horse command where it
>    will get run by a maintenance job.  (Ah, the games you can play
>    with 'uucp'...).  At any rate, it seems a little more paranoia
>    is in order here on the part of the wrapper itself.

Yes. I mentioned that in the preface to my patch. It should probably 
disallow uid 0 completely, or have a specific list of scripts that
it will apply uid 0 to.

In much of my installation, I have begun treating www as special as
root. One of the motivations for this patch is to prevent other Vhosts
from running as www since running as that uid can probably wreak as much
havoc on the server as being root.

By retaining control over the execution uid in the server config files,
I have a better level of comfort than if I allow execution of setuid scripts.
I'm getting seriously hammered on to begin offering the MS-FrontPage
extension. I see no way to provide this and prevent one user from nuking
another users pages without getting more control over the executing uid.

> Possibly more later,
> 
> rst

Feedback is very much appreciated.