httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Marc Slemko <ma...@znep.com>
Subject Re: suexec concerns
Date Sat, 04 Jan 1997 08:30:56 GMT
On Sat, 4 Jan 1997, Jim Jagielski wrote:

> Marc Slemko wrote:
> > 
> > On Fri, 3 Jan 1997, Randy Terbush wrote:
> > 
> > > 
> > > > Hang on.  The parent httpd, normally running as root, knows for sure who
> > > > its children are.  All we need is a way for suexec to ask the parent if
> > > > process x is a child of the parent or not.  Part of that could be already
> > > > implemented in the scoreboard stuff.  Comments? 
> > > 
> > > I tried to find a way to trace the "lineage" of a process for this
> > > very reason. While I *think* it would be possible to do this by
> > > mucking through kvm, I can't imagine how to make someting like this
> > > portable. If you could come up with something, this would be golden.
> > 
> > suexec knows who its parent is with getppid().  The parent will be in the
> > scoreboard.  iff the ppid is in the scoreboard, then it was called from a
> > running copy of apache.  There is more to it than that, but I think that
> > idea could work.  The trick comes on systems that mmap it.  Perhaps I will
> > look at what apache is actually doing there to see how practical it is.
> > 
> 
> A thought... Apache knows when it will fork suexec. How about if
> it opens a socket or pipe and somehow delivers the fd to suexec.
> At that point, suexec can "talk" to Apache. Need some way to ensure
> that the the fd can't be compromised or someone can't fake Apache...

Problem is that the only thing we can really trust is the apache parent
process.  Neither my solution (scoreboard is writable by children and
someone can potentially take over a legit child process once they
compromise HTTPD_USER) nor this (take over child process or a more
specific implementation hole) covers it all.  However, I don't see how
that potential can be avoided without doing immense amounts of processing
in the parent and screwing the whole world up far too much.  I am not yet
decided how dangerous trusting that the child httpd process won't be
compromised is.

We need to refer, somehow, to something not given to suexec from the
apache child that can be checked with something "given" to suexec by the
child which is either unalterable by the child (eg. pid) or is
cryptographically secure in some way (eg. public/private key system).
...on top of that, this has to either be done before 1.2 (ill advised
unless it is simple) or we need a temporary, if ugly, solution for 1.2.


Mime
View raw message