httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Randy Terbush <ra...@zyzzyva.com>
Subject Re: setuid control WITHOUT running as root
Date Mon, 03 Jun 1996 00:25:21 GMT
>   IF you can become 'www', then you will be able to be a bad guy.
> 
> For the n'th time, I can't accept that.

No worries, I'm not expecting you to. :-)


>   The checks in can_exec(), (which I am about to put in sucgi.c) make
>   sure that:
> 
>   * the script is owned by the UID that is being switched to.
>   * the directory that it resides in is also owned by that UID.
>   * the directory is not writable by anyone but the owner.
>   * that the file is not already setuid.
> 
> ... all of which can be *very* easily arranged for by an attacker on a
> system with "giveaway" chowns --- out-of-the box SGIs, for one.  (I
> just tried it; gave away a file and its enclosing directory to root.
> Other likely "giftees" include 'bin', 'daemon', and 'uucp').

Doesn't the root owned directory need to be writable by you in
order to establish the link? Maybe I'm not familiar with your attack.

Leaving that kind of hole open is not a security flaw in Apache
or any wrapper. It an administration error that is deadly when
you allow setuid files.

> The key check from cgiwrap that you're missing is that "if I'm running
> it as fred, it has to be in fred's directory".  Not any directory that
> happens to be owned by fred, but the *particular* directory which has
> been specifically designated as fred's cgi-bin.
> 
> rst

This is a flexibility that I am reluctant to give up. Luckily, 
the wrapper scheme allows me to cut my own throat with changing
Apache code to do it. :-)






Mime
View raw message