httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jeff Trawick <>
Subject Re: [PATCH] security - run mod_cgid's daemon under same user as Apache
Date Wed, 07 Jun 2000 22:30:13 GMT
> Date: Wed, 7 Jun 2000 21:09:25 +0100 (BST)
> From: James Sutherland <>
> On Wed, 7 Jun 2000, Jeff Trawick wrote:
> > Here are some notes on some possible changes to mod_cgid.  Perhaps
> > they will help somebody think of better alternatives.
> > 
> > 
> > current problems, both related to starting httpd as root
> > 
> > a) when httpd is started as root, the cgi daemon continues to run as root
> Change uid to "cgid" or whatever.

What do you mean by "cgid"?  Something other than what is coded for
User in the config file?

> > b) depending on the umask of httpd, permissions on the af_unix socket 
> >    are wrong; either they don't allow non-root httpd to connect to the 
> >    socket, meaning that CGIs are broken, or they allow anybody to 
> >    connect to the socket, meaning that a local denial of service 
> >    attack is easy
> Explicitly set the socket permissions, as root, to make it owned by
> cgid.

It's not so dark here anymore!  Thanks!  chown() was lost on me.  I
think that solves everything that needs to be solved.

Ryan suggested the same thing in very general terms, but I didn't get
chown() out of his comments (whether or not he intended it).

I think this plus chown() plus doing it in the right order is a
sufficient set of changes: 

> > When started as root, the cgi daemon needs to change its euid/egid just
> > like the other httpd processes, by calling unixd_setup_child().  This
> > takes care of problem a).
> > 

To clarify the order:

  fork() daemon process
  in child:
    initialize Unix socket with permissions rw-------
    if (!geteuid()) {
        use chown() to change ownership of the Unix socket to the user
        that httpd runs as
    call unixd_setup_child()

Note that we call unixd_setup_child() even if euid != 0, as
unixd_setup_child() does stuff if egid != 0.  We don't need to care 
about gid for purposes of the socket; we won't even bother looking at egid.

Also, note that you can already override the default socket name
of prefix/logs/cgisock.  (I didn't realize it at the time.)  If you run
more than one copy of Apache+cgid and you don't override the root
directory, you'll have to override the name for at least one copy.  If
this is a real hardship, we can worry about that later.  I think we 
have a solution for the critical issues, so I'm happy.

Any problems with this?  What am I missing?

Jeff Trawick | | PGP public key at web site:
          Born in Roswell... married an alien...

View raw message