[users@httpd] Secure Apache VirtualHost and suEXEC Support

[Sagara Wijetunga <sa...@yahoo.com>]

Secure Apache VirtualHost and suEXEC Support

I need to implement a Secure Apache Virtual Hosts on a
single server running Linux 2.4 and Apache 2. This
further requires for me to provide CGI facility with
database support.

Since Apache�s normal mode of operation with CGI
support is not safe in a multi-user environment, I
have considered Apache with suEXEC support.

I read the suEXEC Support documentation
(http://httpd.apache.org/docs-2.0/suexec.html) and I
have following queries with suEXEC Support:

1.	Is there a way to specify the Virtual Host Root and
its DocumentRoot separately for a particular Virtual
Host? 
Eg.
Virtual Host Root1: /var/websites/www.company1.com
Its DocumentRoot: /var/websites/www.company1.com/html

Virtual Host Root2: /var/websites/www.company2.com
Its DocumentRoot: /var/websites/www.company2.com/html


2.	Is it possible to keep the cgi-bin directory for a
particular Virtual Host under its Virtual Host Root,
but NOT under its DocumentRoot?
Ie. 
Virtual Host Root:  /var/websites/www.company1.com
Its DocumentRoot: /var/websites/www.company1.com/html
Its Cgi-bin Root:   
/var/websites/www.company1.com/cgi-bin

3.	Is it possible to restrict the scope for CGI
scripts to read resources (eg. Files) ONLY from any
directory under its Virtual Host Root, but NOT above
its Virtual Host Root? 

An early reply is very much appreciated. 
Thanks.
Sagara


__________________________________
Do you Yahoo!?
Yahoo! SiteBuilder - Free, easy-to-use web site design software
http://sitebuilder.yahoo.com

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] Secure Apache VirtualHost and suEXEC Support

[Joshua Slive <jo...@slive.ca>]

On Thu, 24 Jul 2003, Sagara Wijetunga wrote:

> Dear Joshua
>
> Thanks for your clarification.
>
> What really confuse me was the point 13 (Is the
> directory within the Apache webspace?) under the
> “suEXEC Security Model” of the “suEXEC Support
> documentation”
> (http://httpd.apache.org/docs-2.0/suexec.html).
>
> The point 13 should have better written as “If the
> request is for a regular portion of the server, is the
> requested directory within the suEXEC's docroot
> (--with-suexec-docroot=DIR)?”

You are correct.  In general, for optimal security, the two document roots
should be the same.  But, as you notice, it doesn't work so well in some
scenarios.

Please feel free to submit a bug report to the apache bug database about
this.  That way when someone goes to clean up those docs it won't be
forgotten.

Joshua.

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] Secure Apache VirtualHost and suEXEC Support

[Sagara Wijetunga <sa...@yahoo.com>]

Dear Joshua

Thanks for your clarification.

What really confuse me was the point 13 (Is the
directory within the Apache webspace?) under the
�suEXEC Security Model� of the �suEXEC Support
documentation�
(http://httpd.apache.org/docs-2.0/suexec.html).

The point 13 should have better written as �If the
request is for a regular portion of the server, is the
requested directory within the suEXEC's docroot
(--with-suexec-docroot=DIR)?�

Sagara

--- Joshua Slive <jo...@slive.ca> wrote:
> 
> On Wed, 23 Jul 2003, Sagara Wijetunga wrote:
> > (1) Referring to point 13 (Is the directory within
> the
> > Apache webspace?) under the �suEXEC Security
> Model� of
> > the �suEXEC Support documentation�
> > (http://httpd.apache.org/docs-2.0/suexec.html);
> >  Does this means you have to organize all your
> > directories and files under your virtual host�s
> > DocumentRoot (including CGIs and restricted
> > resources)?
> 
> No.  The document root being referred to here is the
> suexec docroot (the
> one specified in the --with-suexec-docroot=DIR
> argument when compiling.
> This does not necessarily need to be the same as the
> DocumentRoot
> specified in httpd.conf.
> 
> > (3) According to point 4 (Does the target program
> have
> > an unsafe hierarchical reference?) under the
> �suEXEC
> > Security Model� of the �suEXEC Support
> documentation�,
> > Apache does not allow leading '/' or have a '..'
> back
> > reference.
> >
> > What�s the meaning of this? Is the documentation
> > referring to file path references inside the
> source of
> > the CGI program?
> >
> > Can the Apache check unsafe file references inside
> the
> > source of the CGI program before it run the CGI
> > program and fail if it does?
> 
> No, this only refers to the path to the cgi script
> that is passed to
> suexec.  Under normal circumstances, apache will not
> pass unsafe paths to
> suexec, so this restriction is really only intended
> to cover people trying
> to exploit suexec from outside apache.
> 
> > (4) For a given Virtual Host under the suEXEC,
> Apache
> > logs are written under what user? Apache�s user id
> > (nobody) or suEXEC user id?
> 
> Apache's main logs are always opened under the id of
> the user who starts
> apache (usually root).  Suexec affects only cgi
> scripts, not the normal
> operation of the server.
> 
> Joshua.
> 
>
---------------------------------------------------------------------
> The official User-To-User support forum of the
> Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for
> more info.
> To unsubscribe, e-mail:
> users-unsubscribe@httpd.apache.org
>    "   from the digest:
> users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail:
> users-help@httpd.apache.org
> 


__________________________________
Do you Yahoo!?
Yahoo! SiteBuilder - Free, easy-to-use web site design software
http://sitebuilder.yahoo.com

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] Secure Apache VirtualHost and suEXEC Support

[Joshua Slive <jo...@slive.ca>]

On Wed, 23 Jul 2003, Sagara Wijetunga wrote:
> (1) Referring to point 13 (Is the directory within the
> Apache webspace?) under the “suEXEC Security Model” of
> the “suEXEC Support documentation”
> (http://httpd.apache.org/docs-2.0/suexec.html);
>  Does this means you have to organize all your
> directories and files under your virtual host’s
> DocumentRoot (including CGIs and restricted
> resources)?

No.  The document root being referred to here is the suexec docroot (the
one specified in the --with-suexec-docroot=DIR argument when compiling.
This does not necessarily need to be the same as the DocumentRoot
specified in httpd.conf.

> (3) According to point 4 (Does the target program have
> an unsafe hierarchical reference?) under the “suEXEC
> Security Model” of the “suEXEC Support documentation”,
> Apache does not allow leading '/' or have a '..' back
> reference.
>
> What’s the meaning of this? Is the documentation
> referring to file path references inside the source of
> the CGI program?
>
> Can the Apache check unsafe file references inside the
> source of the CGI program before it run the CGI
> program and fail if it does?

No, this only refers to the path to the cgi script that is passed to
suexec.  Under normal circumstances, apache will not pass unsafe paths to
suexec, so this restriction is really only intended to cover people trying
to exploit suexec from outside apache.

> (4) For a given Virtual Host under the suEXEC, Apache
> logs are written under what user? Apache’s user id
> (nobody) or suEXEC user id?

Apache's main logs are always opened under the id of the user who starts
apache (usually root).  Suexec affects only cgi scripts, not the normal
operation of the server.

Joshua.

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] Secure Apache VirtualHost and suEXEC Support

[Sagara Wijetunga <sa...@yahoo.com>]

Dear Joshua

Thanks for your reply but I would like to clarify
certain points which worry me very much regarding
suEXEC.

(1) Referring to point 13 (Is the directory within the
Apache webspace?) under the �suEXEC Security Model� of
the �suEXEC Support documentation�
(http://httpd.apache.org/docs-2.0/suexec.html);
 Does this means you have to organize all your
directories and files under your virtual host�s
DocumentRoot (including CGIs and restricted
resources)?
 
If it is, this put you to high risk. It is dangerous
and not a good practice to put your cgi-bin and other
restricted resources under the publicly accessible
DocumentRoot even though you can control the access
thru Unix file privileges.

Can I organize cgi-bin, restricted resources and logs
directories outside of the DocumentRoot?

(3) According to point 4 (Does the target program have
an unsafe hierarchical reference?) under the �suEXEC
Security Model� of the �suEXEC Support documentation�,
Apache does not allow leading '/' or have a '..' back
reference.

What�s the meaning of this? Is the documentation
referring to file path references inside the source of
the CGI program?

Can the Apache check unsafe file references inside the
source of the CGI program before it run the CGI
program and fail if it does? 

(4) For a given Virtual Host under the suEXEC, Apache
logs are written under what user? Apache�s user id
(nobody) or suEXEC user id? 

An early reply is very much appreciated. 
Thanks.
Sagara


--- Joshua Slive <jo...@slive.ca> wrote:
> 
> On Tue, 22 Jul 2003, Sagara Wijetunga wrote:
> > 1.	Is there a way to specify the Virtual Host Root
> and
> > its DocumentRoot separately for a particular
> Virtual
> > Host?
> 
> > 2.	Is it possible to keep the cgi-bin directory
> for a
> > particular Virtual Host under its Virtual Host
> Root,
> > but NOT under its DocumentRoot?
> 
> Yes, you should be able to set the
> --with-document-root argument when you
> compile apache to be the parent of all your
> websites, /var/websites in
> your case.  Remember that the suexec document root
> does not need to be the
> same as any DocumentRoot in your config files.
> 
> > 3.	Is it possible to restrict the scope for CGI
> > scripts to read resources (eg. Files) ONLY from
> any
> > directory under its Virtual Host Root, but NOT
> above
> > its Virtual Host Root?
> 
> This is something between you and your scripting
> language/shell.  Neither
> apache nor suexec can control what a script does
> after it is executed,
> other than by setting its priveleges.  In general,
> the answer to this
> question is "no".  But you should be able to make
> careful use of unix
> priveleges to assure that users can't do bad things.
> 
> Joshua.
> 
>
---------------------------------------------------------------------
> The official User-To-User support forum of the
> Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for
> more info.
> To unsubscribe, e-mail:
> users-unsubscribe@httpd.apache.org
>    "   from the digest:
> users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail:
> users-help@httpd.apache.org
> 


__________________________________
Do you Yahoo!?
Yahoo! SiteBuilder - Free, easy-to-use web site design software
http://sitebuilder.yahoo.com

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] Secure Apache VirtualHost and suEXEC Support

[Joshua Slive <jo...@slive.ca>]

On Tue, 22 Jul 2003, Sagara Wijetunga wrote:
> 1.	Is there a way to specify the Virtual Host Root and
> its DocumentRoot separately for a particular Virtual
> Host?

> 2.	Is it possible to keep the cgi-bin directory for a
> particular Virtual Host under its Virtual Host Root,
> but NOT under its DocumentRoot?

Yes, you should be able to set the --with-document-root argument when you
compile apache to be the parent of all your websites, /var/websites in
your case.  Remember that the suexec document root does not need to be the
same as any DocumentRoot in your config files.

> 3.	Is it possible to restrict the scope for CGI
> scripts to read resources (eg. Files) ONLY from any
> directory under its Virtual Host Root, but NOT above
> its Virtual Host Root?

This is something between you and your scripting language/shell.  Neither
apache nor suexec can control what a script does after it is executed,
other than by setting its priveleges.  In general, the answer to this
question is "no".  But you should be able to make careful use of unix
priveleges to assure that users can't do bad things.

Joshua.

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org