httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From James Sutherland <ja...@cam.ac.uk>
Subject Re: [PATCH] security - run mod_cgid's daemon under same user as Apache
Date Thu, 08 Jun 2000 09:43:07 GMT
On Wed, 7 Jun 2000, Marc Slemko wrote:

> On Wed, 7 Jun 2000, Jeff Trawick wrote:
> 
> > To clarify the order:
> > 
> >   fork() daemon process
> >   in child:
> >     initialize Unix socket with permissions rw-------
> >     if (!geteuid()) {
> >         use chown() to change ownership of the Unix socket to the user
> >         that httpd runs as
> >     }
> >     call unixd_setup_child()
> > 
> > Note that we call unixd_setup_child() even if euid != 0, as
> > unixd_setup_child() does stuff if egid != 0.  We don't need to care 
> > about gid for purposes of the socket; we won't even bother looking at egid.
> > 
> > Also, note that you can already override the default socket name
> > of prefix/logs/cgisock.  (I didn't realize it at the time.)  If you run
> > more than one copy of Apache+cgid and you don't override the root
> > directory, you'll have to override the name for at least one copy.  If
> > this is a real hardship, we can worry about that later.  I think we 
> > have a solution for the critical issues, so I'm happy.
> > 
> > Any problems with this?  What am I missing?
> 
> This still allows people who can compromise the user Apache runs as to
> make random requests to cgid.  Is that an issue?  I don't know, I don't
> know anything about cgid.

If they have access to Apache's user account, the system is cracked wide
open anyway. This shouldn't be an issue (at least provided no untrusted
CGI scripts ever run as the Apache user.)

> The "normal" way to do things would be to open the Unix socket in the
> parent as root, and keep it open so it is inherited by the child
> processes.  I don't know if that works for this.

My suggested solution could do this, meaning only the cgid process can
open the socket; OTOH, if the malicious user has access to Apache's user
account, he can just kill off or impersonate the server...


James.


Mime
View raw message