From cvs-return-16644-apmail-httpd-cvs-archive=httpd.apache.org@httpd.apache.org Fri Jul 25 18:31:27 2003 Return-Path: Delivered-To: apmail-httpd-cvs-archive@httpd.apache.org Received: (qmail 72214 invoked by uid 500); 25 Jul 2003 18:31:26 -0000 Mailing-List: contact cvs-help@httpd.apache.org; run by ezmlm Precedence: bulk Reply-To: dev@httpd.apache.org list-help: list-unsubscribe: list-post: Delivered-To: mailing list cvs@httpd.apache.org Received: (qmail 72201 invoked by uid 500); 25 Jul 2003 18:31:26 -0000 Delivered-To: apmail-httpd-2.0-cvs@apache.org Date: 25 Jul 2003 18:31:25 -0000 Message-ID: <20030725183125.18397.qmail@icarus.apache.org> From: erikabele@apache.org To: httpd-2.0-cvs@apache.org Subject: cvs commit: httpd-2.0/docs/manual suexec.html.en suexec.xml X-Spam-Rating: daedalus.apache.org 1.6.2 0/1000/N erikabele 2003/07/25 11:31:25 Modified: docs/manual suexec.html.en suexec.xml Log: Enhance some bits of the suEXEC docco to be a bit more precise in regard to suEXEC's docroot handling and it's preconditions; see PR#21873 and #21874. Revision Changes Path 1.47 +21 -18 httpd-2.0/docs/manual/suexec.html.en Index: suexec.html.en =================================================================== RCS file: /home/cvs/httpd-2.0/docs/manual/suexec.html.en,v retrieving revision 1.46 retrieving revision 1.47 diff -u -r1.46 -r1.47 --- suexec.html.en 30 Jun 2003 01:16:30 -0000 1.46 +++ suexec.html.en 25 Jul 2003 18:31:25 -0000 1.47 @@ -159,13 +159,15 @@
  • - Does the target program have an unsafe hierarchical - reference? + Does the target CGI or SSI program have an unsafe + hierarchical reference?

    - Does the target program contain a leading '/' or have a - '..' backreference? These are not allowed; the target - program must reside within the Apache webspace. + Does the target CGI or SSI program's path contain a leading + '/' or have a '..' backreference? These are not allowed; the + target CGI/SSI program must reside within suEXEC's document + root (see --with-suexec-docroot=DIR + below).

    • @@ -242,8 +244,8 @@
  • - Does the directory in which the program resides - exist? + Does the directory in which the target CGI/SSI program + resides exist?

    If it doesn't exist, it can't very well contain files. @@ -256,9 +258,10 @@

    If the request is for a regular portion of the server, is - the requested directory within the server's document - root? If the request is for a UserDir, is the requested - directory within the user's document root? + the requested directory within suEXEC's document root? If + the request is for a UserDir, is the requested directory + within the directory configured as suEXEC's userdir (see + suEXEC's configuration options)?

    • @@ -274,7 +277,7 @@
  • - Does the target program exist? + Does the target CGI/SSI program exist?

    If it doesn't exists, it can't very well be executed. @@ -282,17 +285,17 @@

  • - Is the target program NOT writable by - anyone else? + Is the target CGI/SSI program NOT writable + by anyone else?

    We don't want to give anyone other than the owner the - ability to change the program. + ability to change the CGI/SSI program.

  • - Is the target program NOT setuid or + Is the target CGI/SSI program NOT setuid or setgid?

    @@ -324,11 +327,11 @@

  • - Can we successfully become the target program and - execute? + Can we successfully become the target CGI/SSI program + and execute?

    - Here is where suEXEC ends and the target program begins. + Here is where suEXEC ends and the target CGI/SSI program begins.

    • 1.9 +21 -18 httpd-2.0/docs/manual/suexec.xml Index: suexec.xml =================================================================== RCS file: /home/cvs/httpd-2.0/docs/manual/suexec.xml,v retrieving revision 1.8 retrieving revision 1.9 diff -u -r1.8 -r1.9 --- suexec.xml 22 Jun 2003 15:58:05 -0000 1.8 +++ suexec.xml 25 Jul 2003 18:31:25 -0000 1.9 @@ -131,13 +131,15 @@
  • - Does the target program have an unsafe hierarchical - reference? + Does the target CGI or SSI program have an unsafe + hierarchical reference?

    - Does the target program contain a leading '/' or have a - '..' backreference? These are not allowed; the target - program must reside within the Apache webspace. + Does the target CGI or SSI program's path contain a leading + '/' or have a '..' backreference? These are not allowed; the + target CGI/SSI program must reside within suEXEC's document + root (see --with-suexec-docroot=DIR + below).

    • @@ -214,8 +216,8 @@
  • - Does the directory in which the program resides - exist? + Does the directory in which the target CGI/SSI program + resides exist?

    If it doesn't exist, it can't very well contain files. @@ -228,9 +230,10 @@

    If the request is for a regular portion of the server, is - the requested directory within the server's document - root? If the request is for a UserDir, is the requested - directory within the user's document root? + the requested directory within suEXEC's document root? If + the request is for a UserDir, is the requested directory + within the directory configured as suEXEC's userdir (see + suEXEC's configuration options)?

    • @@ -246,7 +249,7 @@
  • - Does the target program exist? + Does the target CGI/SSI program exist?

    If it doesn't exists, it can't very well be executed. @@ -254,17 +257,17 @@

  • - Is the target program NOT writable by - anyone else? + Is the target CGI/SSI program NOT writable + by anyone else?

    We don't want to give anyone other than the owner the - ability to change the program. + ability to change the CGI/SSI program.

  • - Is the target program NOT setuid or + Is the target CGI/SSI program NOT setuid or setgid?

    @@ -296,11 +299,11 @@

  • - Can we successfully become the target program and - execute? + Can we successfully become the target CGI/SSI program + and execute?

    - Here is where suEXEC ends and the target program begins. + Here is where suEXEC ends and the target CGI/SSI program begins.