httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Oezguer Kesim <ke...@math.fu-berlin.de>
Subject Re: Contribution: SuEXEC Options
Date Sat, 14 Nov 1998 21:19:59 GMT
Thus spake Marc Slemko (marcs@worldgate.com):

> >   - util_scrip.c is changed so that it calls suEXEC like in the two cases
> >     in the original source (i.e ~user or <Virtualhost> with UID and GID
> >     set) and now also when `SuExec' is set for this <Directory>.
> > 
> >     Also, create_argv(), has been changed.  All Options set for a specific
> >     <Directory> are given as commandline argument to suEXEC.
> 
> suexec is designed so it does not trust anything passed to it on the
> command line, but verifies it all itself.  What stops anyone else who can
> get access to the user Apache runs as from calling suexec with whatever 
> arguments they want in your case?

Be carefull.  The current implementation of suexec does not check, wether
the owner of a script is in the group of the script.

My opinion is:  On a machine, where a user can get access to the user
who is authorized to run suexec, is cracked anyway.  A attacker, who gains
access to user foo also could become bar or even root.  So don't blame
suexec if your machine is broken.

But, you are right, I can't verify the origin of the calling process.  On
the other hand, my patch isn't enabled per default.  It is designed for
situations, were access to the server running apache is restricted to root
and the webadmin, as in our network.  And this is, what a admin is
responsible for.  I say: If you want a full controled usage of suEXEC, just
feel free, but protect your machine carefully -- this should be fullfilled
anyway.

Hm... well, I will think about this again and will give a solution for the
problem you mentioned, which hopefully satisfies _you_.

cheers,
  oec

Mime
View raw message