httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Randy Terbush <ra...@zyzzyva.com>
Subject Re: setuid control WITHOUT running as root
Date Sun, 02 Jun 1996 20:22:44 GMT
> Randy Terbush wrote:
> > 
> > >   How would you suggest doing this?
> > > 
> > >   Maybe a simple check to see if User for this VHost is defined to
> > >   be different from the main server id and calling the wrapper if it is?
> > > 
> > > Exactly --- check if those two integers are equal, and bypass the wrapper
> > > if so.  What's the fuss?
> > > 
> > > rst
> > 
> > No muss, no fuss. Works just dandy.
> > 
> > One other option here that might make some people feel even better
> > about this code... any installation of a wrapper program would 
> > default to be non-suid. Anyone who changed that would be assuming the
> > risks.
> 
> Uh? Why not just not install it at all (it can't do anything useful if it is
> not setuid, can it?).

True. With the change I just made from RST's suggestion, setting User
or Group in a VHost config would cause execution of scripts in that
VHost to fail if the selected UID was different than the default.

> BTW, I've almost decided that chroot() doesn't help with security (because a
> Bad Guy can still make something setuid to the attacked uid which can then be
> exploited by another route).

I agree. In the chroot() environment that we run, there are a lot less
tools available if they would break it, and the area that they can
destroy is less. Still not a comfortable solution when running as root.
I suppose that there are other routes through the network layers that
could be exploited as well. I'm very happy to be able to switch off
EUID root.









Mime
View raw message