httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Greg Marr <gr...@alum.wpi.edu>
Subject Re: [PATCH] security - run mod_cgid's daemon under same user as Apache
Date Wed, 07 Jun 2000 20:10:03 GMT
At 03:47 PM 06/07/2000, Jeff Trawick wrote:
>How to solve problem b) while retaining the Unix socket (and thus 
>retaining
>the current code) ?  (I'm not eager to rewrite the IPC at the moment.)
>
>3) create the af_unix socket as /tmp/cgisock after changing from 
>root, with
>    permissions rw------- so that no local users (other than the one 
> httpd runs
>    as) can cause problems
>
>    Problems:
>
>      depending upon the permissions on /tmp, any local user can 
> remove the
>      socket and thus break cgis (SHOWSTOPPER)

Check for the sticky bit, and fail if it doesn't exist.

>      the socket doesn't live under normal Apache directory 
> structure, which
>      is sloppy

It's a temporary file, so /tmp isn't a problem.

>      you can't run more than one copy of Apache at once; the second 
> copy
>      would remove /tmp/cgisock, create a new one, and the first 
> Apache would
>      send CGI requests to the second CGI daemon (SHOWSTOPPER)

Make it /tmp/cgisock<PID>, so each daemon would have a different 
socket.

>4) let the administrator configure the location of the Unix socket; 
>they
>    should create a directory somewhere and allow only the Apache 
> user id
>    rwx access to it (we can check that permissions are 
> appropriate); if not
>    running with euid==0, we could allow a default of logs/cgisock
>
>    Problems:
>
>      the socket doesn't live under normal Apache directory 
> structure, which
>      is sloppy

Again, as long as it's in tmp, that's not a problem.  If they want to 
put it somewhere else, and be "sloppy", then that's their choice.

--
Greg Marr
gregm@alum.wpi.edu
"We thought you were dead."
"I was, but I'm better now." - Sheridan, "The Summoning"


Mime
View raw message