httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jeff Trawick <>
Subject Re: [PATCH] security - run mod_cgid's daemon under same user as Apache
Date Thu, 08 Jun 2000 12:21:28 GMT
> Date: Thu, 8 Jun 2000 03:10:43 -0700
> From: Manoj Kasichainula <>
> On Wed, Jun 07, 2000 at 05:56:48PM -0600, Marc Slemko wrote:
> > This still allows people who can compromise the user Apache runs as to
> > make random requests to cgid.  Is that an issue?  I don't know, I don't
> > know anything about cgid.
> > 
> > The "normal" way to do things would be to open the Unix socket in the
> > parent as root, and keep it open so it is inherited by the child
> > processes.  I don't know if that works for this.
> If the children don't need to reopen the socket, this is the best
> solution.

Since we want a new connection per request, inheritance won't help.

> Otherwise, an alternate solution would be what mod_jserv does: Have a
> secret key that is used to authenticate a connection. Now, since I
> believe mod_cgid has the luxury of having been forked but not execed,
> it doesn't have to store the key on disk like jserv does; the key
> could be some random number (though you'd have to be very careful that
> this was a truly random number, and not something guessable).

Yea, I thought of passing an authentication token across.  That would
make it harder to hack.  But I have the general feeling (i.e., I can't
give you a list of exploits :) ) that if somebody is running as the
Apache user id (which is required to connect() to the socket once the
agreed fixes are committed) then there are probably any number of
other exploits they can use to disrupt or trick mod_cgid, or Apache in
general for that matter, and it would be a losing battle to try to
protect against what such a user could do.

Is this a reasonable stance?

Jeff Trawick | | PGP public key at web site:
          Born in Roswell... married an alien...

View raw message