httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jacob Champion <champio...@gmail.com>
Subject Re: Feedback needed: suexec different-owner patch
Date Mon, 04 Apr 2016 19:11:58 GMT
On 04/02/2016 12:56 PM, Stefan Fritsch wrote:
> If suexec allowed to suid to a user different than the owner of a 
> script, on that server it would allow any local user to execute any 
> script as any other user. Even if suexec checked that the script is 
> owned by a special "trusted" user, it would still allow to execute 
> that script as any user, without any "opt-in" necessary by the target 
> user.

Ah, this finally made it click for me.

In the case where only the trusted-owner CGI script is compromised (e.g.
an arbitrary code execution vuln), this proposal makes things better,
since the attacker can at least be denied access to the disk. But if
httpd is compromised, it makes things worse, since the attacker can now
run the trusted-owner script as any non-system user. And if both httpd
and the trusted-owner script are compromised, this proposal makes things
*much* worse: an attacker can now run arbitrary code as any non-system user.

Thanks for your feedback on this. Your xattrs suggestion seems like it
might solve the two negative cases, but it uses a much more obscure
(IMO) mechanism to operate... Likewise, having suexec parse a separate
configuration file seems like a lot of complexity to add.

> BTW, using the immutable flag (which can only be done by root) on the 
> scripts is a work-around for your problem that does not involve 
> modifying suexec.

Good point, though I don't think it can be used for the proposed use
case (which was for the trusted user to be able to regularly maintain
the scripts).

--Jacob

Mime
View raw message