httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From r..@covalent.net
Subject Re: [PATCH] security - run mod_cgid's daemon under same user as Apache
Date Thu, 08 Jun 2000 00:18:39 GMT

> >   fork() daemon process
> >   in child:
> >     initialize Unix socket with permissions rw-------
> >     if (!geteuid()) {
> >         use chown() to change ownership of the Unix socket to the user
> >         that httpd runs as
> >     }
> >     call unixd_setup_child()
> > 
> > Any problems with this?  What am I missing?
> 
> This still allows people who can compromise the user Apache runs as to
> make random requests to cgid.  Is that an issue?  I don't know, I don't
> know anything about cgid.

Is this an issue?  Yes, but a small one.  Basically, mod_cgid packages up
a lot of information and passes it down the socket to tell Apache how to
run the CGI.  So, what we are basically saying is that it is possible for
a stranger to tell Apache to execute a CGI program.  That's actually fine,
because if Apache has access to a CGI program so that it can run it, a
user can use telnet to accomplish the same thing using mod_cgi.  I believe
this is a non-issue.  The only thing we may need to do, is to have
mod_cgid do the checking for access to CGI scripts in the cgid process
instead of in the Apache child process.

> The "normal" way to do things would be to open the Unix socket in the
> parent as root, and keep it open so it is inherited by the child
> processes.  I don't know if that works for this.

The problem is that Apache is responsible for both sides of this
socket.  The first side is the cgid processes that reads from the
socket.  The second is child process that must connect to the socket and
write to it.  Because the child process opens it only when there is a CGI
request, the child process must have write access during execution.

I believe the above code is the correct approach.  This is still
vulnerable if an alien CGI is put on the system, but Apache is always
vulnerable in that case.

Ryan

_______________________________________________________________________________
Ryan Bloom                        	rbb@apache.org
406 29th St.
San Francisco, CA 94131
-------------------------------------------------------------------------------


Mime
View raw message