httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Brian Pane <bp...@pacbell.net>
Subject Re: suexec related patches for PR 7810, 7791, 8291, 9038
Date Sun, 26 May 2002 08:45:01 GMT
Thanks, I've committed patches 2 and 3.  I'll finish up the
others tomorrow unless someone else gets to them first.

--Brian

On Sat, 2002-05-25 at 20:17, Colm MacCárthaigh wrote:
> 
> Since there have been some changes to the affected source files
> and multiple problems presented themselves in unixd.c, my patches
> to make suexec + [ mod_include | mod_userdir | mod_cgid ] work
> were getting stale. So I've rediffed them against CVS.
> 
> I also had a good look through all of the suexec bugs, I'm using
> the patches on a production system now with over 2000 shell users
> (redbrick.dcu.ie) and it's proving stable.
> 
> Anyway, I think they fix these :
> 
>  PR 7810 - suexec + mod_userdir + mod_cgid needed fixing (also 
>            it's currently insecure by default, this really needs
>            to be fixed)
>  PR 7791 - malformed arguments array passed to suexec
>  PR 8291 - mod_include + suexec "exec cmd" not working
>  PR 9038 - really a duplicate of 7810
> 
> Some notes:
> 
>   1: http://redbrick.dcu.ie/~colmmacc/patches/mod_cgid.patch
>   2: http://redbrick.dcu.ie/~colmmacc/patches/unixd.patch
>   3: http://redbrick.dcu.ie/~colmmacc/patches/mod_include.patch
> 
>   patch 1 (mod_cgid.c)    fixes 7810/9039/mod_cgid, it just works.
>   patch 2 (unixd.c)       fixes 7791 and 8291 
>   patch 3 (mod_include.c) makes patch 2 secure. (otherwise include
>                           file="some.cgi" runs as the server user)
> Other Patches:
> 
> These are against 2.0.36, but should apply to CVS.   
> 
> Whilst trawling code for patch 2 I noticed that in 
> srclib/apr/threadproc/unix/proc.c shell commands get executed
> as:
> 
>         shell -c argv0 argv1 argv2
> 
> I believe it should be:
> 
>         shell -c "argv0 argv1 .."
> 
> I initially fixed the suexec problem this way ... because "shell -c
> suexec user group ... " would never work (at least with my /bin/sh), 
> but fixing it such that "shell -c 'suexec user group ... '" leads to 
> simple exploits like :
> 
> <!--#exec cmd="somecmd ; evilcmd"-->
> 
> being trivial. I used the code in patch 4 (proc.c) to fix this for
> me though (for the general non-suexec case) ... it might be desireable 
> anyway , just to have exec cmd work in general. 
> 
>   4: http://redbrick.dcu.ie/~colmmacc/patches/proc.patch 
> 
> And finally , a whole bundle of patches related to the comment in the 
> STATUS file:
> 
> * PR#1120: suexec
>       suexec does not parse arguments to #exec cmd
> 
> I decided to make this work, for my own amusement. The result is rather
> convoluted though , but if anyone is interested in resolving this issue, 
> it's there. Basically just define a trusted system shell at buildtime
> and have suexec allow it be used .. and have unixd.c detect shellcmd's
> and warp what suexec gets sent on that basis. It's at:
> 
>   http://redbrick.dcu.ie/~colmmacc/patches/suexec-shell.patch
> 
> All of the patches are proving useful to us at least, but I would
> say that a patch to mod_cgid should be a matter of priority for
> the next release of apache, as it is currently a security hole.
> 
> -- 
> colmmacc@redbrick.dcu.ie        PubKey: colmmacc+pgp@redbrick.dcu.ie  
> Web:                                 http://devnull.redbrick.dcu.ie/ 



Mime
View raw message