Received: by taz.hyperreal.com (8.6.12/8.6.5) id QAA12050;
 Sun, 2 Jun 1996 16:27:25 -0700
Received: from umr.edu by taz.hyperreal.com (8.6.12/8.6.5) with ESMTP id
 QAA12033; Sun, 2 Jun 1996 16:27:20 -0700
Received: from [131.151.253.105] (dialup-pkr-7-2.network.umr.edu
 [131.151.253.105]) via SMTP by hermes.cc.umr.edu (8.7.5/R.4.16) id SAA18521;
 Sun, 2 Jun 1996 18:27:17 -0500 (CDT)
X-Sender: nneul@pop3.umr.edu
Message-Id: <v02130501add7d230c7fc@[131.151.253.119]>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Date: Sun, 2 Jun 1996 18:26:47 -0500
To: new-httpd@hyperreal.com
From: Nathan Neulinger <nneul@umr.edu>
Subject: Re: setuid control WITHOUT running as root
Sender: owner-new-httpd@apache.org
Precedence: bulk
Reply-To: new-httpd@hyperreal.com

At 6:21 PM 6/2/96, Robert S. Thau wrote:
>   The sucgi wrapper is too simple.
>
> Hmmm... before things get too heated, I'd better substantiate this
> with an example of an attack which, I think, would work with the
> sucgi wrapper, even after we tossed in Nathan's "owner == uid to
> switch to" check.  On hyperreal, which is a reasonably well-managed
> system (as I recall, Satan gave it a completely clean bill of health
> the first time Brian ran a check), we find the following:


Heres the problem as I see it:

       sucgi.c: Ok, I see you are 'www', I'll let you run any script as any
user - I'm not talking about the apache module... The weakest link is the
sucgi.c executable.

       cgiwrap: Ok, you're 'www', I'll let you run any script as any user,
so long as the following apply: The script doesn't have any questionable
permissions (i.e. setid, setgid), the script is stored in fred's directory
if you're going to run it as fred, and it's owned by fred.

I see no problem with suCGI suitably modified with the above checks for use
in personal user directories... But I don't see an easy way to do for
virtual hosts that will both work and is safe.

True, both of the above assume you have userid 'www' - but go from the line
of thought "what happens if the apache module/whatever breaks" or I exploit
a totally unrelated hole.
With the protections in cgiwrap, if you exploit a hole to get access to the
www userid, you don't compromise the entire system.

-- Nathan


------------------------------------------------------------
Nathan Neulinger                  Univ. of Missouri - Rolla
EMail: nneul@umr.edu                  Computing Services
WWW: http://www.umr.edu/~nneul      SysAdmin: rollanet.org