httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Nathan Neulinger <>
Subject Re: setuid control WITHOUT running as root
Date Sun, 02 Jun 1996 23:26:47 GMT
At 6:21 PM 6/2/96, Robert S. Thau wrote:
>   The sucgi wrapper is too simple.
> Hmmm... before things get too heated, I'd better substantiate this
> with an example of an attack which, I think, would work with the
> sucgi wrapper, even after we tossed in Nathan's "owner == uid to
> switch to" check.  On hyperreal, which is a reasonably well-managed
> system (as I recall, Satan gave it a completely clean bill of health
> the first time Brian ran a check), we find the following:

Heres the problem as I see it:

       sucgi.c: Ok, I see you are 'www', I'll let you run any script as any
user - I'm not talking about the apache module... The weakest link is the
sucgi.c executable.

       cgiwrap: Ok, you're 'www', I'll let you run any script as any user,
so long as the following apply: The script doesn't have any questionable
permissions (i.e. setid, setgid), the script is stored in fred's directory
if you're going to run it as fred, and it's owned by fred.

I see no problem with suCGI suitably modified with the above checks for use
in personal user directories... But I don't see an easy way to do for
virtual hosts that will both work and is safe.

True, both of the above assume you have userid 'www' - but go from the line
of thought "what happens if the apache module/whatever breaks" or I exploit
a totally unrelated hole.
With the protections in cgiwrap, if you exploit a hole to get access to the
www userid, you don't compromise the entire system.

-- Nathan

Nathan Neulinger                  Univ. of Missouri - Rolla
EMail:                  Computing Services
WWW:      SysAdmin:

View raw message