httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Randy Terbush <ra...@zyzzyva.com>
Subject Re: setuid control WITHOUT running as root
Date Sun, 02 Jun 1996 23:06:38 GMT
>   There really isn't much in this wrapper that can be misconfigured.
>   I'm for keeping it as simple as possible.
> 
> "Everything should be made as simple as possible, but no simpler".  
> The sucgi wrapper is too simple.

There's an easy cure for that. :-)

>   There are a fair number of checks in sucgi already. 
> 
> But we're talking about a situation in which the attacker already has
> an account on the machine (authorized user attempting to subvert another
> authorized user), and is invoking the wrapper *directly* to do so.  That
> makes any checks performed by sucgi, or anything else in the web server,
> irrelevant, since it is simply not in the picture.
> 
> rst

But the attacker will first need to become the 'www' user in the
case of the current sucgi, who will then need to exec some piece
of code via the web server. The server is not going to touch
anything that does not both match the owner of the directory in
which it resides, and the uid of the VHost.

I guess that for safety's sake, these checks need to exist in both
the server and the wrapper. 





Mime
View raw message