Return-Path: Delivered-To: apmail-new-httpd-archive@apache.org Received: (qmail 73616 invoked by uid 500); 8 Jun 2000 09:43:13 -0000 Mailing-List: contact new-httpd-help@apache.org; run by ezmlm Precedence: bulk X-No-Archive: yes Reply-To: new-httpd@apache.org list-help: list-unsubscribe: list-post: Delivered-To: mailing list new-httpd@apache.org Received: (qmail 73605 invoked from network); 8 Jun 2000 09:43:12 -0000 Date: Thu, 8 Jun 2000 10:43:07 +0100 (BST) From: James Sutherland X-Sender: jas88@dax.joh.cam.ac.uk To: TLOSAP Subject: Re: [PATCH] security - run mod_cgid's daemon under same user as Apache In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII X-Spam-Rating: locus.apache.org 1.6.2 0/1000/N On Wed, 7 Jun 2000, Marc Slemko wrote: > On Wed, 7 Jun 2000, Jeff Trawick wrote: > > > To clarify the order: > > > > fork() daemon process > > in child: > > initialize Unix socket with permissions rw------- > > if (!geteuid()) { > > use chown() to change ownership of the Unix socket to the user > > that httpd runs as > > } > > call unixd_setup_child() > > > > Note that we call unixd_setup_child() even if euid != 0, as > > unixd_setup_child() does stuff if egid != 0. We don't need to care > > about gid for purposes of the socket; we won't even bother looking at egid. > > > > Also, note that you can already override the default socket name > > of prefix/logs/cgisock. (I didn't realize it at the time.) If you run > > more than one copy of Apache+cgid and you don't override the root > > directory, you'll have to override the name for at least one copy. If > > this is a real hardship, we can worry about that later. I think we > > have a solution for the critical issues, so I'm happy. > > > > Any problems with this? What am I missing? > > This still allows people who can compromise the user Apache runs as to > make random requests to cgid. Is that an issue? I don't know, I don't > know anything about cgid. If they have access to Apache's user account, the system is cracked wide open anyway. This shouldn't be an issue (at least provided no untrusted CGI scripts ever run as the Apache user.) > The "normal" way to do things would be to open the Unix socket in the > parent as root, and keep it open so it is inherited by the child > processes. I don't know if that works for this. My suggested solution could do this, meaning only the cgid process can open the socket; OTOH, if the malicious user has access to Apache's user account, he can just kill off or impersonate the server... James.