httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Marc Slemko <ma...@worldgate.com>
Subject Re: suEXEC alternative. Please comment.
Date Wed, 09 Sep 1998 19:09:27 GMT
On Wed, 9 Sep 1998, Ben Laurie wrote:

> > By 'lowering' the UID to wwwcgi whenever code outside the server
> > is executed, the wrapper can be sure it was called from the
> > web-server (=some entity under the control of the web administrator)
> > and not from user code. By executing the programm, which denies
> > execute to the public, the wrapper prooves its identity to the
> > script. So the script can imply "root says, this is a request
> > authorized by the web administrator".
> 
> This would mean Apache would have to retain root, which is really not
> acceptable. Or did I miss something?

No, Apache runs as user xxx, but _never_ runs any other process as xxx.
It always runs them as user xxxcgi through the use of a setuid root
wrapper which checks to be sure user xxx is calling it.

Then, that wrapper can also do special things for files that are setuid to
a particular user.

The issue here is that you end up placing a whole lot of faith in the
assumption that there are no other security holes in the server or other
ways to do things as xxx, which is a bad assumption.


Mime
View raw message