httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Dirk-Willem van Gulik <>
Subject Re: More arm-linuxelf info
Date Wed, 09 Sep 1998 17:37:51 GMT
Donald Buczek wrote:
> As usual on unix, users are free to create setuid scripts. As opposed to
> suEXEC, making a script setuid is the only way to get a transition to
> a uid different from the default (wwwcgi). So this transition is only
> at the explicit decision of the owner of the program and never implied.

This is altering the threat model (not necessarily a bad thing, but it
means it isn't really an alternative to suEXEC). suEXEC protects the
webmaster from the users. This approach does not.

> The last step was the one I was really after, because currently
> server-based authorization and privileged cgi-programs don't mix well.
> The current suEXEC never can make sure that it was called from the
> server (and not from another cgi-script, which did some 'corrections'
> to the environment). So the scripts never can be sure - even if
> suEXEC proved its privilege by chaning the UID.
> By 'lowering' the UID to wwwcgi whenever code outside the server
> is executed, the wrapper can be sure it was called from the
> web-server (=some entity under the control of the web administrator)
> and not from user code. By executing the programm, which denies
> execute to the public, the wrapper prooves its identity to the
> script. So the script can imply "root says, this is a request
> authorized by the web administrator".

This would mean Apache would have to retain root, which is really not
acceptable. Or did I miss something?



Ben Laurie            |Phone: +44 (181) 735 0686| Apache Group member
Freelance Consultant  |Fax:   +44 (181) 735 0689|
and Technical Director|Email: |
A.L. Digital Ltd,     |Apache-SSL author
London, England.      |"Apache: TDG"


View raw message