httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Randy Terbush <ra...@zyzzyva.com>
Subject Re: suexec concerns
Date Fri, 03 Jan 1997 22:52:41 GMT

> suexec lets you execute programs from under a user's home directory.
> bin's home directory is "/" on my FreeBSD system.  On an AIX system I
> looked at, it is /bin, /usr/bin on a Solaris system, /bin on a
> SunOS one.  You put a shell under someone's home directory, therefore
> suexec can run it.  It does _NOT_ have to be in web space; hence
> the suggestion to make suexec go through the same process to see
> if something is a CGI that the main server would.

This is probably best solved by forcing the execution of ~user cgi
to reside under a compiled in ~/public_html/cgi-bin/. We've gone back
and forth on this, but seems prudent in light of the above.

I must point out that I don't allow _any_ ~user CGI on my systems,
so I have not given the ~user feature of suexec quite enough
scrutiny.

As you pointed out, this does not solve the issue of copies of things
like sh in the user webspace.

> > > > > So I can see two choices.  Either we make it so the HTTPD_USER can't
> > > > > be compromised easily (which can certainly be done with the right
> > > > > config file without source changes, but there will be many people
> > > > > who don't realize the implications of using suexec while letting
> > > > > other things run as HTTPD_USER) or we make it so that suexec doesn't
> > > > > trust what it is told.  This would include:
> > > > > 
> > > > > 	- only passing certain environment variables from suexec to
> > > > > 	  the process being run.
> > > > 
> > > > Ughh. Could be a support nightmare.
> > > 
> > > A very big one.  External config file.  Easy to modify.  Documented well.
> > > There aren't _that_ many variables which need to be passed.
> > 
> > The problem though is that what environment variables get past is _very_
> > configurable. With 100's or even 1000's of webservers to admin, there
> > will be a continuous stream of experts that have yet another variable
> > to add to the list.  Am I being a cynic? :)
> 
> I don't think that most people use anything other than the basic
> variables like REMOTE_HOST that the server sets.  The only other ones
> are ones that are set by the admin before the server is started, no?  

mod_env?

> > > The other thing I wouldn't mind would be the equivalent of crontab's allow
> > > and deny files, but that's a feature not a bugfix and is for the future.
> > 
> > Could be useful. As you point out though, this is nearly an all or
> > nothing feature. If _everyone_ is not being handled by the wrapper,
> > there are some holes.
> 
> I would argue there are more than "some" holes.
> 
> This would give you the ability to stop people from running _any_
> CGIs, not just to stop suexec from being used for them.  ie. make
> all CGIs use suexec, then only allow certain ones to get past it.

Agreed.




Mime
View raw message