httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Webmaster+BOfH <st...@max.hkust.se>
Subject Re: [PATCH] SECURITY: UID of htdocs & icons data
Date Sun, 06 Dec 1998 16:17:57 GMT
Ralf S. Engelschall wrote:
> 
> 
> Here is a patch for PR#3494. Should we also do something for the GID? The
> problem is that we cannot know which GID exists for root? Ok, we can use the
> numerical GID 0 which on mostly all platform corresponds to root.  Ideas?

Use the same UID/GID as the daemon runs as? nobody/nobody
I'm not sure if this is a security hole...

Use the same UID/GID as the user who does the 'make install' ?
this is most often root/administrator or similar


I think the 2) is the best approach

/magnus


> 
>                                        Ralf S. Engelschall
>                                        rse@engelschall.com
>                                        www.engelschall.com
> 
> Index: src/CHANGES
> ===================================================================
> RCS file: /e/apache/REPOS/apache-1.3/src/CHANGES,v
> retrieving revision 1.1164
> diff -u -r1.1164 CHANGES
> --- src/CHANGES	1998/12/06 15:40:50	1.1164
> +++ src/CHANGES	1998/12/06 15:56:15
> @@ -1,4 +1,10 @@
>  Changes with Apache 1.3.4
> +
> +  *) SECURITY: When installing Apache under root some files from htdocs/ and
> +     icons/ are installed with the UID/GID of the user who rolled the Apache
> +     tarball and not with the UID of root. When this UID is mapped to an
> +     existing local user this user was able to modify the manual pages and
> +     icons. [Ralf S. Engelschall] PR#3494
>   
>    *) Make generation of src/Configuration.apaci more robust: It failed to
>       differenciate between modules when one module name was a postfix of
> Index: Makefile.tmpl
> ===================================================================
> RCS file: /e/apache/REPOS/apache-1.3/Makefile.tmpl,v
> retrieving revision 1.53
> diff -u -r1.53 Makefile.tmpl
> --- Makefile.tmpl	1998/12/05 21:10:40	1.53
> +++ Makefile.tmpl	1998/12/06 15:52:55
> @@ -364,6 +364,9 @@
>  		(cd $(root)$(datadir)/htdocs/ && $(TAR) -xf -); \
>  		find $(root)$(datadir)/htdocs/ -type d -exec chmod a+rx {} \; ; \
>  		find $(root)$(datadir)/htdocs/ -type f -exec chmod a+r {} \; ; \
> +		if [ ".`id | grep root`" = . ]; then \
> +			find $(root)$(datadir)/htdocs/ -type f -exec chown root {} \; >/dev/null 2>&1;
\
> +		fi; \
>  	fi
>  	-@if [ -f $(root)$(datadir)/cgi-bin/printenv ]; then \
>  		echo "[PRESERVING EXISTING DATA SUBDIR: $(root)$(datadir)/cgi-bin/]"; \
> @@ -381,6 +384,9 @@
>  	(cd $(root)$(datadir)/icons/ && $(TAR) -xf -); \
>  	find $(root)$(datadir)/icons/ -type d -exec chmod a+rx {} \; ;\
>  	find $(root)$(datadir)/icons/ -type f -exec chmod a+r {} \;
> +	if [ ".`id | grep root`" = . ]; then \
> +		find $(root)$(datadir)/icons/ -type f -exec chown root {} \; >/dev/null 2>&1;
\
> +	fi; \
>  	@echo "<=== [data]"
>  
>  #   create the initial configuration by providing default files
> 


Mime
View raw message