Comments on first glance ---
1) The patch, as you distributed it, conflates the CGI-wrapper stuff
with a few other changes --- in particular, allowing nonexistent
DocumentRoots for virtual servers, and your ConfigDir patch. I
think there's consensus that it would be a good idea to have both
these things in a future release, but not yet on the exact form
which they should take, so it would probably be best, for the moment,
to consider them independantly.
2) The is_scriptaliased business really is CGI-specific, and probably
should stay with mod_cgi. (Actually, it should really just be
trashed in favor of something handler-based, but as long as the
ugliness is there, it probably ought to be as far from the server
core as possible). Consolidating some of the other error checks,
however, is probably a good idea.
3) As I read the code, there's no way to bypass the sucgi wrapper,
even for sites that don't want uid-flipping behavior. I'm less
concerned about overhead here than about just plain ol' complexity
of installation and site maintenance --- it's one more binary that
you gotta install, and the server itself has to know where to find
it, which is a bit of a pain in the neck for people who don't need
the functionality.
My "here there be tygers" itch is also acting up just a tad, but
at least off the top of my head I can't think of any risks in this
arrangement over and above those inherent in running CGI at all
which can't be dealt with by turning off the suid bit on the
wrapper.
At any rate, it seems that the easiest way to deal with this given
your code as it stands is to bypass the wrapper and do a straight
exec() of the target unless the server actually has been configured
to switch uids. If your code already does this, and I misread, my
apologies.
4) Unfortunately, looking over the wrapper itself, if you do install
it with the suid bit on, I do see a problem --- if you can get a
process running as 'www', and this wrapper has been installed
suid-root, you can then run the wrapper yourself with argv[1] of
root and wreak your will. Possible ways of getting such a process
include *non*-suid CGI, and putting a trojan-horse command where it
will get run by a maintenance job. (Ah, the games you can play
with 'uucp'...). At any rate, it seems a little more paranoia
is in order here on the part of the wrapper itself.
5) At first glance, this code ought to be able to get along in a threaded
environment at least as well as the stuff that's already there.
Possibly more later,
rst
|