httpd-bugs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bugzi...@apache.org
Subject DO NOT REPLY [Bug 33716] - suexec behavior/code doesn't match documented security model
Date Wed, 23 Feb 2005 21:57:29 GMT
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG·
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=33716>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND·
INSERTED IN THE BUG DATABASE.

http://issues.apache.org/bugzilla/show_bug.cgi?id=33716





------- Additional Comments From dax@gurulabs.com  2005-02-23 22:57 -------
(In reply to comment #7)
> Look some lines above. In conclusion with those lines:
> 
>     if ((dir_info.st_mode & S_IWOTH) || (dir_info.st_mode & S_IWGRP)) {
>         log_err("directory is writable by others: (%s)\n", cwd);
>         exit(116);
>     }
> 
> it matches cond. 14.

No it does not match. What cond 14 says, and what is checked is not the same.

In other words, where is the condition that says: "directory containing the cgi
program MUST have same owner and group as the cgi program"?

Such a condition wisely does not exist.

> > I want my content directory to be the following:
> > dr-xr-xr-x   2 root root 4096 Feb 23 14:36 htdocs
> 
> So you're editing your files as root? Nice ;-)

No. Consider the following:

dr-xr-xr-x  2 root    root    4096 Feb 23 14:51 .
drwxr-xr-x  3 root    root    4096 Feb 23 14:36 ..
-rw-r--r--  1 dkelson dkelson   19 Feb 23 14:50 index.html
-rw-r--r--  1 root    root       8 Feb 23 14:51 mypic.png
-rwxr-xr-x  1 dkelson dkelson   16 Feb 23 14:52 update-index.cgi

> Anyway, you're mixing comfort and security. Your directory model should also
> match your security needs. Just don't put active scripts in such directories and
> you're done.

This is hand waving and ignores the problem.

-- 
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org


Mime
View raw message