httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Marc Slemko <ma...@znep.com>
Subject Re: [PATCH] security - run mod_cgid's daemon under same user as Apache
Date Wed, 07 Jun 2000 16:46:27 GMT
On Wed, 7 Jun 2000, Jeff Trawick wrote:

> This patch teaches mod_cgid to call unixd_setup_child() from the cgi
> daemon so that the daemon runs as the same user/group as the rest of
> Apache.  (Background: unixd_setup_child() does nothing if euid/egid !=
> 0 but otherwise switches to the uid and/or gid specified via User and
> Group.)
> 
> Also, we play with the umask() during the call to bind() so that only
> code with our euid can connect() to it.
> 
> Any concerns?
> 
> One concern I have is with the permissions of the log directory (which
> is where the Unix socket lives).  With this patch, the configured user
> must have write access to that directory because we've already
> switched to that user before creating the socket.  On my setup, at
> least, I had to change the permissions of the log directory, because
> the files which were created there all along were created while Apache
> was running with euid zero.
> 
> (Maybe it is an existing requirement that the configured user can
> write to the log directory; I dunno.)

It is an existing requirement that the user Apache runs as (assuming it is
started as root) MUST NOT be able to write to the logs directory (ie. any
directory where logs, pid file, etc. are written).

Setting permissions so that they can is a major security problem.


Mime
View raw message