httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jim Jagielski <...@jaguNET.com>
Subject Re: suexec concerns
Date Fri, 03 Jan 1997 23:28:27 GMT
Marc Slemko wrote:
> 
> On Fri, 3 Jan 1997, Randy Terbush wrote:
> 
> > 
> > > suexec lets you execute programs from under a user's home directory.
> > > bin's home directory is "/" on my FreeBSD system.  On an AIX system I
> > > looked at, it is /bin, /usr/bin on a Solaris system, /bin on a
> > > SunOS one.  You put a shell under someone's home directory, therefore
> > > suexec can run it.  It does _NOT_ have to be in web space; hence
> > > the suggestion to make suexec go through the same process to see
> > > if something is a CGI that the main server would.
> > 
> > This is probably best solved by forcing the execution of ~user cgi
> > to reside under a compiled in ~/public_html/cgi-bin/. We've gone back
> > and forth on this, but seems prudent in light of the above.
> 
> That is one possibility that should solve many of the most serious
> security problems as far as I can see.  There is the "it's ugly" argument,
> but ugly better than dangerous.

This is exactly what cgiwrap does, and one of the suggestions I added
to suexec. As far as I can recall, cgiwrap checks that the script:

   o lives in ~/public_html/cgi-bin
   o is owned by the owner of that directory (same group too)
   o is not suid or sgid
   o is not a link

-- 
====================================================================
      Jim Jagielski            |       jaguNET Access Services
     jim@jaguNET.com           |       http://www.jaguNET.com/
                  "Not the Craw... the CRAW!"

Mime
View raw message