httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Ben Laurie <...@algroup.co.uk>
Subject Re: suEXEC alternative. Please comment.
Date Wed, 09 Sep 1998 19:54:31 GMT
Marc Slemko wrote:
> 
> On Wed, 9 Sep 1998, Ben Laurie wrote:
> 
> > > By 'lowering' the UID to wwwcgi whenever code outside the server
> > > is executed, the wrapper can be sure it was called from the
> > > web-server (=some entity under the control of the web administrator)
> > > and not from user code. By executing the programm, which denies
> > > execute to the public, the wrapper prooves its identity to the
> > > script. So the script can imply "root says, this is a request
> > > authorized by the web administrator".
> >
> > This would mean Apache would have to retain root, which is really not
> > acceptable. Or did I miss something?
> 
> No, Apache runs as user xxx, but _never_ runs any other process as xxx.
> It always runs them as user xxxcgi through the use of a setuid root
> wrapper which checks to be sure user xxx is calling it.

Ah, right - I get it.

> Then, that wrapper can also do special things for files that are setuid to
> a particular user.
> 
> The issue here is that you end up placing a whole lot of faith in the
> assumption that there are no other security holes in the server or other
> ways to do things as xxx, which is a bad assumption.

Well, its a better assumption than the current suEXEC model, isn't it?

Cheers,

Ben.

-- 
Ben Laurie            |Phone: +44 (181) 735 0686| Apache Group member
Freelance Consultant  |Fax:   +44 (181) 735 0689|http://www.apache.org/
and Technical Director|Email: ben@algroup.co.uk |
A.L. Digital Ltd,     |Apache-SSL author     http://www.apache-ssl.org/
London, England.      |"Apache: TDG" http://www.ora.com/catalog/apache/

WE'RE RECRUITING! http://www.aldigital.co.uk/

Mime
View raw message