httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Stefan Fritsch ...@sfritsch.de>
Subject Re: Feedback needed: suexec different-owner patch
Date Wed, 30 Mar 2016 20:49:33 GMT
On Saturday 19 March 2016 11:09:40, monttyle@heavyspace.ca wrote:
> Since its been a while since this issue was mentioned, this patch
> allows Apache to suexec files by a different (but still restricted
> by UID) owner, to avoid the security issue where apache forces you
> to suexec to files it has full chmod access to.
> 
> -------- Original Message --------
> Subject: suexec different-owner patch
> Date: 2016-03-04 18:33
>  From: monttyle@heavyspace.ca
> To: dev@httpd.apache.org
> Reply-To: dev@httpd.apache.org
> 
> Here is my first try at a patch for my suggestion, modified from
> httpd 2.2.31.  It works to my satisfaction, able to switch to a UID
> other than the file's owner, while still strictly matching the UID
> and GID of the file against known values.  I make no guarantees of
> correctness or bug-freeness however.  The changes are so simple
> though, I hope there's nothing flagrantly wrong.
> 
> It uses another option, "SuexecFileGroup", which independently
> defines the specific user and group the file must belong to.  If
> you don't define it, it defaults to the old behavior.  I re-used
> suexec's own sanity checking on the new option where it seemed
> appropriate.
> 
> Criticisms, please?

You are doing the configuration parsing in httpd, and then pass the 
allowed uid/group to suexec as command line arguments.

Sorry, but that is not a good approach. You must assume that a local 
attacker calls suexec directly and passes arguments of his liking. 
That is the attack vector that suexec's rather annoying restrictions 
try to avoid.

So the config file parsing would have to be done inside suexec, with 
the config file path being compiled into the suexec utility. Of 
course, this would cause some slowdown because suexec would need to 
parse its config file on every request.

A different idea would be to use filesystem xattrs. Maybe check for an 
xattr APACHE_SUEXEC_ALLOWED, and if a file is owned by root and has 
that xattr, suexec would allow to change to the user specified in the 
xattr.

But these two approaches are just ideas. I don't know if they would be 
accepted in httpd.


Mime
View raw message