httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Marc Slemko <>
Subject Re: Setuid Apache?
Date Mon, 15 Nov 1999 16:14:22 GMT
On Mon, 15 Nov 1999, Stephen Andrew Misel wrote:

>The processes wait for connections as root, and once a connection
>has been made, it calls setegid() and seteuid() for the User and
>Group specified in the conf file for that VirtualHost.  If the
>request is a non CGI (or SSI, etc) the request is handled and that
>process does a setegid() and seteuid() back to root to wait for
>the next request.

>In the event we're dealing with a CGI and need to fork(), the
>setegid() and seteuid() are back to root, at which point it calls
>setgid() and setuid() to assume the user's real identity (verses
>effective), and then forks off the child.  Of course, when the
>request is complete, it assumes root again and waits in the free

>I see the security implications here as minimal, as long as the
>server makes a confirmation that it's uid/gid change was successful
>before serving documents or running CGI's (otherwise they'd run as
>root, bad bad).  Am I correct?

No.  Running the server in that manner means that any bug in the server 
(eg. buffer overflow) will allow a root compromise.  That is not a 
very good thing and, because of that, I'm doubtful that such code has
a place in the Apache distribution.  

Sure, it is convenient.  But it is also quite risky.

View raw message