httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Colm MacCárthaigh <colmm...@Redbrick.DCU.IE>
Subject suexec related patches for PR 7810, 7791, 8291, 9038
Date Sun, 26 May 2002 03:17:48 GMT

Since there have been some changes to the affected source files
and multiple problems presented themselves in unixd.c, my patches
to make suexec + [ mod_include | mod_userdir | mod_cgid ] work
were getting stale. So I've rediffed them against CVS.

I also had a good look through all of the suexec bugs, I'm using
the patches on a production system now with over 2000 shell users
(redbrick.dcu.ie) and it's proving stable.

Anyway, I think they fix these :

 PR 7810 - suexec + mod_userdir + mod_cgid needed fixing (also 
           it's currently insecure by default, this really needs
           to be fixed)
 PR 7791 - malformed arguments array passed to suexec
 PR 8291 - mod_include + suexec "exec cmd" not working
 PR 9038 - really a duplicate of 7810

Some notes:

  1: http://redbrick.dcu.ie/~colmmacc/patches/mod_cgid.patch
  2: http://redbrick.dcu.ie/~colmmacc/patches/unixd.patch
  3: http://redbrick.dcu.ie/~colmmacc/patches/mod_include.patch

  patch 1 (mod_cgid.c)    fixes 7810/9039/mod_cgid, it just works.
  patch 2 (unixd.c)       fixes 7791 and 8291 
  patch 3 (mod_include.c) makes patch 2 secure. (otherwise include
                          file="some.cgi" runs as the server user)
Other Patches:

These are against 2.0.36, but should apply to CVS.   

Whilst trawling code for patch 2 I noticed that in 
srclib/apr/threadproc/unix/proc.c shell commands get executed
as:

        shell -c argv0 argv1 argv2

I believe it should be:

        shell -c "argv0 argv1 .."

I initially fixed the suexec problem this way ... because "shell -c
suexec user group ... " would never work (at least with my /bin/sh), 
but fixing it such that "shell -c 'suexec user group ... '" leads to 
simple exploits like :

<!--#exec cmd="somecmd ; evilcmd"-->

being trivial. I used the code in patch 4 (proc.c) to fix this for
me though (for the general non-suexec case) ... it might be desireable 
anyway , just to have exec cmd work in general. 

  4: http://redbrick.dcu.ie/~colmmacc/patches/proc.patch 

And finally , a whole bundle of patches related to the comment in the 
STATUS file:

* PR#1120: suexec
      suexec does not parse arguments to #exec cmd

I decided to make this work, for my own amusement. The result is rather
convoluted though , but if anyone is interested in resolving this issue, 
it's there. Basically just define a trusted system shell at buildtime
and have suexec allow it be used .. and have unixd.c detect shellcmd's
and warp what suexec gets sent on that basis. It's at:

  http://redbrick.dcu.ie/~colmmacc/patches/suexec-shell.patch

All of the patches are proving useful to us at least, but I would
say that a patch to mod_cgid should be a matter of priority for
the next release of apache, as it is currently a security hole.

-- 
colmmacc@redbrick.dcu.ie        PubKey: colmmacc+pgp@redbrick.dcu.ie  
Web:                                 http://devnull.redbrick.dcu.ie/ 

Mime
View raw message