httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From r..@ai.mit.edu (Robert S. Thau)
Subject Re: setuid control WITHOUT running as root
Date Sun, 02 Jun 1996 16:49:18 GMT
Comments on first glance ---

1) The patch, as you distributed it, conflates the CGI-wrapper stuff
   with a few other changes --- in particular, allowing nonexistent
   DocumentRoots for virtual servers, and your ConfigDir patch.  I
   think there's consensus that it would be a good idea to have both
   these things in a future release, but not yet on the exact form
   which they should take, so it would probably be best, for the moment,
   to consider them independantly.

2) The is_scriptaliased business really is CGI-specific, and probably
   should stay with mod_cgi.  (Actually, it should really just be
   trashed in favor of something handler-based, but as long as the
   ugliness is there, it probably ought to be as far from the server
   core as possible).  Consolidating some of the other error checks,
   however, is probably a good idea.

3) As I read the code, there's no way to bypass the sucgi wrapper,
   even for sites that don't want uid-flipping behavior.  I'm less
   concerned about overhead here than about just plain ol' complexity
   of installation and site maintenance --- it's one more binary that
   you gotta install, and the server itself has to know where to find
   it, which is a bit of a pain in the neck for people who don't need
   the functionality.

   My "here there be tygers" itch is also acting up just a tad, but
   at least off the top of my head I can't think of any risks in this
   arrangement over and above those inherent in running CGI at all
   which can't be dealt with by turning off the suid bit on the
   wrapper.

   At any rate, it seems that the easiest way to deal with this given
   your code as it stands is to bypass the wrapper and do a straight
   exec() of the target unless the server actually has been configured
   to switch uids.  If your code already does this, and I misread, my
   apologies.

4) Unfortunately, looking over the wrapper itself, if you do install
   it with the suid bit on, I do see a problem --- if you can get a
   process running as 'www', and this wrapper has been installed
   suid-root, you can then run the wrapper yourself with argv[1] of
   root and wreak your will.  Possible ways of getting such a process
   include *non*-suid CGI, and putting a trojan-horse command where it
   will get run by a maintenance job.  (Ah, the games you can play
   with 'uucp'...).  At any rate, it seems a little more paranoia
   is in order here on the part of the wrapper itself.

5) At first glance, this code ought to be able to get along in a threaded 
   environment at least as well as the stuff that's already there.

Possibly more later,

rst

Mime
View raw message