httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jim Jagielski <>
Subject Re: Suexec permissions question
Date Thu, 03 Mar 2016 18:22:17 GMT

> On Feb 29, 2016, at 11:22 AM, wrote:
> I understand the point of not allowing apache to suexec any
> arbitrary file, and matching user:group makes sense to an extent.
> But using user:group as blind labels ignores what these permissions
> really mean to the kernel.

No, it's meant to work *with* file-level permissions.

> Any running program has access to modify any files and folders
> belonging to its user by definition.  If you chmod that away,
> it can chmod them right back.  This is very difficult to prevent
> without resorting to read-only filesystems, immutable bits, or
> ACL's.  This is why most executables -- including suexec itself!
> -- aren't owned by the users who run them.
> The ability to name a specific required owner, DIFFERENT from
> what's being suexec-ed to, would close this security hole.

I still don't understand what your actual concern is, nor
the attack vector that you are trying to fix. Can you
provide more detail, being as specific as possible.


View raw message