httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jeff Trawick <trawi...@bellsouth.net>
Subject Re: [PATCH] security - run mod_cgid's daemon under same user as Apache
Date Thu, 08 Jun 2000 12:02:17 GMT
> Date: Thu, 8 Jun 2000 07:35:51 +0100 (BST)
> From: James Sutherland <jas88@cam.ac.uk>
> 
> On Wed, 7 Jun 2000, Jeff Trawick wrote:
> 
> > > > a) when httpd is started as root, the cgi daemon continues to run as root
> > > 
> > > Change uid to "cgid" or whatever.
> > 
> > What do you mean by "cgid"?  Something other than what is coded for
> > User in the config file?
> 
> Ideally, CGIs should be running as a user other than the httpd, I think.
> Add an option CGIUser to control this?

I guess I'm pretty ignorant here.  I thought that suexec covered that
issue and that hopefully it could be shoehorned to work with
mod_cgid.  For now, I think I'll just put something in the STATUS file
(don't let me forget :) ).

> > > Explicitly set the socket permissions, as root, to make it owned by
> > > cgid.
> > 
> > It's not so dark here anymore!  Thanks!  chown() was lost on me.  I
> > think that solves everything that needs to be solved.
> > 
> > Ryan suggested the same thing in very general terms, but I didn't get
> > chown() out of his comments (whether or not he intended it).
> > 
> > I think this plus chown() plus doing it in the right order is a
> > sufficient set of changes: 
> 
> That'll secure the socket from any evil users; with the t bit on the
> directory, only Apache can delete the socket, and only the cgid or Apache
> can open it.

The t bit isn't needed on the directory because it lives in
prefix/logs, and the logs directory isn't world-writable (unless the
admin does something stupid).

Only the cgid or Apache can connect() to it by virtue of the
permissions (rw-------) and owner (Apache user id).

> > Also, note that you can already override the default socket name
> > of prefix/logs/cgisock.  (I didn't realize it at the time.)  If you run
> > more than one copy of Apache+cgid and you don't override the root
> > directory, you'll have to override the name for at least one copy.  If
> > this is a real hardship, we can worry about that later.  I think we 
> > have a solution for the critical issues, so I'm happy.
> > 
> > Any problems with this?  What am I missing?
> 
> That looks good. Is it possible to append the PID to the socketname? This
> will ensure it's unique if two copies of Apache are running at the same
> time with the same config. We need to unlink() the socket on exit,
> ideally, to ensure the directory doesn't get cluttered; just checking for
> (eg) cgisock.`cat httpd.pid` on initialisation, before httpd.pid is
> updated, should do most of this work.

How about for now I put something in the STATUS file (under
non-showstoppers) for suggested mod_cgid enhancements related to the
socket? 

a) add .pid to the cgisock pathname
b) remove the cgisock socket when Apache goes away

The more new function I'm testing at once, the greater the chance of
it not being correct.

> James.

Thanks for your comments!


-- 
Jeff Trawick | trawick@ibm.net | PGP public key at web site:
     http://www.geocities.com/SiliconValley/Park/9289/
          Born in Roswell... married an alien...

Mime
View raw message