httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Randy Terbush <>
Subject Re: setuid control WITHOUT running as root
Date Sun, 02 Jun 1996 21:37:09 GMT
> The only additional check I would put in would be requiring that the owner
> of the script already match the person you are setuid()'ing to... This
> covers people's butt's if they set up stupid permissions on there
> directories. Some systems don't always do the change id's correctly, or
> don't change both the real and effective id's.
> Sure, it doesn't help all systems (chown), but it does help quite a few...

In http_exec.c (can_exec()) there are a whole slew of checks that make
sure that the script owner and directory owner match, that the directory
is not writable by others, etc. It could be argued that these checks
need to move into the wrapper, however calling can_exec *before* sending
to a setuid-root wrapper might be considered more prudent.

> I'd also double check the change of uid/gid, even though it is probably
> unnecessary.
> If it seems like this module works ok, and no one sees any problems, I'll
> probably wind up switching to it myself...
> -- Nathan

Keep in mind that this is not a module. What I have essentially done
is centralized the exec() code which allows *any* module that needs
exec() to use call_exec() to execute the program. If the VHost has
user_id or group_id set differently than the main server, it will use
the wrapper to achieve the switch.

View raw message