httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "David Harris" <>
Subject RE: suexec: lstat vs stat
Date Fri, 12 Mar 1999 04:58:02 GMT

Gary Shea wrote:
> So far the only way I've been able to think
> of to get the flexibility I want, without hacking Apache code in such
> a way that Apache could be implicated in security problems as
> a result of holes in the new suexec code, is to use no information
> whatsoever from Apache.  I haven't implemented that approach yet,
> as I have preferred integrating as much as possible into the regular
> Apache config file.

Yes, trusting information passed to suexec from apache with blind faith is a
no-no. It's really hard to be absolutely sure that suexec has not been
invoked by some cracker. That's why the _real_ suexec does so much checking
of everything internally. Apache might never ask to run /bin/sh as root, but
some cracker might.

I'm going to search the archives for a possibly more theoretical discussion
of this issue. I'm sure the experts who hammered out the existing suexec had
more to say about this.

> > Just modify suexec to ignore the passed user and group names and decide
> > whatever criterion you want. The API between Apache and suexec is well
> > defined and has been constant. One only has to provide a dummy user or
> > directive in a virtual host to trigger the use of suexec by
> A workable idea.
> Is that what you're doing?  You trigger suexec (well, your faux suexec ;)
> when you need it, but use only the filename and file ownerships
> to determine what actions to take?  You're living within the suexec
> API, basically?

Yup. If I need to pass some other information, I just toss it into the
environment. So far I've only had one place where I needed this:
REDIRECT_FILENAME, as I am going to handle mod_actions scripts properly.

Seems to me that you have implemented directory-based user and group
directives. Instead of creating two new configuration directives and
modifying main/util_script.c, I would modify suexec to read the user and
group from the environment and ignore the user and group passed on the
command line. Then, just set a bogus user directive in my conf files and set
the environment to set the user and group I want on a per-directory-basis.

However, now anyone who can run a .htaccess file can also set those
environment variables, so you have to be careful inside the modified suexec.
Something like checking to make sure the file is in the user's home
directory and all directories between the user's home and the program's
directory are owned by the user and not world writeable.

> I'm not crazy about the semi-hacky nature of providing a bogus directive
> in order to trigger the desired behavior, but would be happy enough
> with a directive that had the same effect and also made sense in English!
> Shouldn't be too hard to implement, either.

Hacking main/util_script.c to always run suexec should be really easy. I've
been there, and I know what if statement I'd modify.

I'll be working on my modified suexec tomorrow and have a working version
out then (hope, hope) or sometime early next week.

 - David Harris
   Principal Engineer, DRH Internet Services

View raw message