httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jeff Trawick <trawi...@bellsouth.net>
Subject Re: [PATCH] security - run mod_cgid's daemon under same user as Apache
Date Thu, 08 Jun 2000 02:37:58 GMT
> Date: Wed, 7 Jun 2000 19:12:42 -0700
> From: Greg Stein <gstein@lyra.org>

> On Wed, Jun 07, 2000 at 05:18:39PM -0700, rbb@covalent.net wrote:
> >...
> > > This still allows people who can compromise the user Apache runs as to
> > > make random requests to cgid.  Is that an issue?  I don't know, I don't
> > > know anything about cgid.
> > 
> > Is this an issue?  Yes, but a small one.  Basically, mod_cgid packages up
> > a lot of information and passes it down the socket to tell Apache how to
> > run the CGI.  So, what we are basically saying is that it is possible for
> > a stranger to tell Apache to execute a CGI program.  That's actually fine,
> > because if Apache has access to a CGI program so that it can run it, a
> > user can use telnet to accomplish the same thing using mod_cgi.
> 
> Apache might not (normally) allow a person to run a CGI, due to
> authorization on a particular location/dir/file. For this reason, it can
> actually be a pretty big issue if local users can talk to the CGI
> daemon.

It isn't so easy for a rogue user to get the cgi daemon to do
something while bypassing Apache's authorization checks.

With the proposed fix, a user must have euid == 0 or euid == the
Apache user in order to send commands to the cgi daemon.  This seems
to be an acceptable condition, i.e., a risk that many other programs
are willing to accept. 

-- 
Jeff Trawick | trawick@ibm.net | PGP public key at web site:
     http://www.geocities.com/SiliconValley/Park/9289/
          Born in Roswell... married an alien...

Mime
View raw message