httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From André Malo ...@perlig.de>
Subject Re: suEXEC and /etc/passwd
Date Tue, 04 Feb 2003 23:07:43 GMT
* Bob Bell wrote:

> The problem is that that user is in the /etc/passwd file for that domain only,
> not in the global /etc/passwd file for the system, which is what suEXEC checks.
>  From http://httpd.apache.org/docs/suexec.html, a condition for success in
> suEXEC is:
>     5. Is the target user name valid?
>         Does the target user exist?

What does that mean? Is that domain chrooted?
I don't know whether setuid(2) works without a valid system user.

> I would like to know how to disable this check.  Do I have to comment
> out the lines implementing it in the suEXEC source and recompile?  What
> kind of problems do I open myself up to if I do?  (I can't think of any,
> as long as the other checks are all in place, and I'm a reasonably
> security-minded guy)

You're loosing some control anyway. AFAICS, simply commenting the code out 
is not sufficient, since the rest of suexec relies on the filled pw 
structure, so you have to rewrite it, too. Perhaps using 
<http://cgiwrap.unixtools.org/intro.html> is the better choice for you.

nd
-- 
"Eine Eieruhr", erklärt ihr Hermann, "besteht aus einem Ei. Du nimmst
das Ei und kochst es. Wenn es hart ist, sind fünf Minuten um. Dann weißt
du, daß die Zeit vergangen ist."
                             -- Hannes Hüttner in "Das Blaue vom Himmel"

Mime
View raw message