httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Bob Bell <bobb...@zk3.dec.com>
Subject Re: suEXEC and /etc/passwd
Date Wed, 05 Feb 2003 04:35:36 GMT
On Wed, Feb 05, 2003 at 12:07:43AM +0100, André Malo <nd@perlig.de> wrote:
> * Bob Bell wrote:
> > The problem is that that user is in the /etc/passwd file for that
> > domain only, not in the global /etc/passwd file for the system,
> > which is what suEXEC checks.  From
> > http://httpd.apache.org/docs/suexec.html, a condition for success in
> > suEXEC is:
> >     5. Is the target user name valid?
> >         Does the target user exist?
> 
> What does that mean? Is that domain chrooted?

    Yes, at least many activities for the domain take place in
a chrooted environment.  The domain has it's own /etc/passwd, separate
from the global /etc/passwd.

> I don't know whether setuid(2) works without a valid system user.

    After someone alluded to this on the users list, I wrote a short
program and verified that this does indeed work.

> > I would like to know how to disable this check.  Do I have to comment
> > out the lines implementing it in the suEXEC source and recompile?  What
> > kind of problems do I open myself up to if I do?  (I can't think of any,
> > as long as the other checks are all in place, and I'm a reasonably
> > security-minded guy)
> 
> You're loosing some control anyway. AFAICS, simply commenting the code out 
> is not sufficient, since the rest of suexec relies on the filled pw 
> structure, so you have to rewrite it, too. Perhaps using 
> <http://cgiwrap.unixtools.org/intro.html> is the better choice for you.

    I'd really like to use suEXEC, if possible.  Running as a UID that
doesn't have a corresponding username in /etc/passwd shouldn't pose
a security problem, as the same security restrictions still apply.  The
security checks are all really based on UID anyway; usernames in
/etc/passwd are analogous to DNS names for IP addresses.

    If I were to take the time to make suexec independent of the pw
structure, would there be any interest?  (I'm not sure if I will, as
I don't have the familiarity with httpd or suexec development, nor am
I sure I have the time)

-- 
Bob Bell <bobbell@zk3.dec.com>
-------------------------------------------------------------------------
 "Tell a man there are 300 billion stars in the universe and he'll
  believe you. Tell him a bench has wet paint on it and he'll have
  to touch to be sure."
   -- Jarger

Mime
View raw message