httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Benjamin Coddington <bcodd...@uvm.edu>
Subject Re: [PATCH 49220] mod_fcgid - restrict arbitrary command execution from .htaccess files
Date Fri, 27 Sep 2013 17:50:45 GMT
On Sep 27, 2013, at 8:41 AM, Jeff Trawick <trawick@gmail.com> wrote:

> On Fri, Sep 20, 2013 at 4:31 PM, Benjamin Coddington <bcodding@uvm.edu>wrote:
> 
>> Hello everyone,
>> 
>> We're looking at moving our shared hosting execution behind mod_fcgid and
>> suexec, but we need to continue to allow our users .htaccess 'Files'
>> overrides.  The current mod_fcgid allows users to execute arbitrary
>> commands by configuring the FcgidAccessChecker, FcgidAuthenticator,
>> FcgidAuthorizer, and FcgidWrapper directives within .htaccess files.
>> 
>> - https://issues.apache.org/bugzilla/show_bug.cgi?id=49220
>> 
>> I've approached a fix by creating a directive that would disable the
>> application of those directives within .htaccess files if set; that patch
>> has been submitted to the httpd bug 49220.
>> 
>> You might shrewdly wonder "how can this matter - this is cgi after all,
>> we're just going to try to exec the resulting file!", but we're able to get
>> away from that by disabling ExecCGI globally and setting it per-request in
>> separate module which also ensures the request is mapped to our specific
>> FcgidWrapper.
>> 
>> I see mod_fcgid 2.3.8 is closing in a few days; any chance to sneak this
>> in?  Thanks for your time and consideration.
>> 
>> Ben
> 
> 
> I'd like to see this aligned with 2.4's AllowOverrideList as much as
> practical, but AllowOverrideList is more flexible and I haven't yet looked
> at what changes to the patch would be necessary.  The feature should be
> disabled when building for 2.4/trunk since those server versions already
> have an appropriate feature.  It would be nice if the only change when
> moving between server versions is
> "FcgidAllowOverrideList"<->"AllowOverrideList".

After your comments, I've looked closer at using AllowOverrideList to
accomplish the same thing in configuration alone.  I realized that when I
initially tested this I had overlooked an 'AllowOverride FileInfo' in my
config.

So, while this approach may help the listed issue, it's not something we
require on 2.4.  It would be nice to have the inverse of AllowOverrideList
(RestrictOverrideList?) that would explicitly deny directives allowed by the
AllowOverride groups, since I'll now need to generate a large number of
AllowOverrideList configurations in order to implement this across our
hosting - which requires I walk our modules to find all the directives in
FileInfo and explicitly allow them to disable these mod_fcgid directives.

Ben


Mime
View raw message