httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Randy Terbush <ra...@zyzzyva.com>
Subject Re: setuid control WITHOUT running as root
Date Sun, 02 Jun 1996 23:42:07 GMT
> At 6:21 PM 6/2/96, Robert S. Thau wrote:
> >   The sucgi wrapper is too simple.
> >
> > Hmmm... before things get too heated, I'd better substantiate this
> > with an example of an attack which, I think, would work with the
> > sucgi wrapper, even after we tossed in Nathan's "owner == uid to
> > switch to" check.  On hyperreal, which is a reasonably well-managed
> > system (as I recall, Satan gave it a completely clean bill of health
> > the first time Brian ran a check), we find the following:
> 
> 
> Heres the problem as I see it:
> 
>        sucgi.c: Ok, I see you are 'www', I'll let you run any script as any
> user - I'm not talking about the apache module... The weakest link is the
> sucgi.c executable.

There are limited checks, however IF you can become 'www', then you
will be able to be a bad guy. I'll add the same checks that I have
in can_exec() to sucgi.c. Perhaps these checks need to come out of 
the server?

>        cgiwrap: Ok, you're 'www', I'll let you run any script as any user,
> so long as the following apply: The script doesn't have any questionable
> permissions (i.e. setid, setgid), the script is stored in fred's directory
> if you're going to run it as fred, and it's owned by fred.
> 
> I see no problem with suCGI suitably modified with the above checks for use
> in personal user directories... But I don't see an easy way to do for
> virtual hosts that will both work and is safe.

The checks in can_exec(), (which I am about to put in sucgi.c) make
sure that:

 * the script is owned by the UID that is being switched to.
 * the directory that it resides in is also owned by that UID.
 * the directory is not writable by anyone but the owner.
 * that the file is not already setuid.

Doing a chroot() to a safe place might also be an option, but
will require a lot more work to setup for those of you not
already running chroot()'d






Mime
View raw message