httpd-docs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Colm MacCarthaigh <c...@stdlib.net>
Subject clean up suexec doc
Date Mon, 01 Sep 2003 12:09:03 GMT

Summary; Change the list of list of checks in the security model
         to more accurately reflect what happens, and in the
         correct order. Also fix the default locations, and add
	 a subsection about setting paranoid permissions.

Index: manual/suexec.html.en
===================================================================
RCS file: /home/cvspublic/httpd-2.0/docs/manual/suexec.html.en,v
retrieving revision 1.47
diff -u -r1.47 suexec.html.en
--- manual/suexec.html.en	25 Jul 2003 18:31:25 -0000	1.47
+++ manual/suexec.html.en	1 Sep 2003 12:01:47 -0000
@@ -124,6 +124,16 @@
 
     <ol>
       <li>
+        <strong>Is the user executing this wrapper a valid user of
+        this system?</strong> 
+
+        <p class="indent">
+          This is to ensure that the user executing the wrapper is
+          truly a user of the system.
+        </p>
+     </li>
+
+     <li>
         <strong>Was the wrapper called with the proper number of
         arguments?</strong> 
 
@@ -138,16 +148,6 @@
       </li>
 
       <li>
-        <strong>Is the user executing this wrapper a valid user of
-        this system?</strong> 
-
-        <p class="indent">
-          This is to ensure that the user executing the wrapper is
-          truly a user of the system.
-        </p>
-      </li>
-
-      <li>
         <strong>Is this valid user allowed to run the
         wrapper?</strong> 
 
@@ -244,11 +244,12 @@
       </li>
 
       <li>
-        <strong>Does the directory in which the target CGI/SSI program
-        resides exist?</strong> 
+        <strong>Can we change directory to the one in which the target CGI/SSI program
+        resides?</strong> 
 
         <p class="indent">
-          If it doesn't exist, it can't very well contain files.
+          If it doesn't exist, it can't very well contain files. If we can't
+          change directory to it, it might aswell not exist.
         </p>
       </li>
 
@@ -443,10 +444,10 @@
 
 <div class="example"><p><code>
     suEXEC setup:<br />
-            suexec binary: /usr/local/apache/sbin/suexec<br />
-            document root: /usr/local/apache/share/htdocs<br />
+            suexec binary: /usr/local/apache2/sbin/suexec<br />
+            document root: /usr/local/apache2/share/htdocs<br />
            userdir suffix: public_html<br />
-                  logfile: /usr/local/apache/var/log/suexec_log<br />
+                  logfile: /usr/local/apache2/var/log/suexec_log<br />
                 safe path: /usr/local/bin:/usr/bin:/bin<br />
                 caller ID: www<br />
           minimum user ID: 100<br />
@@ -463,13 +464,40 @@
     command "make install" to install them. The binary image
     "suexec" is installed in the directory defined by the --sbindir
     option. Default location is
-    "/usr/local/apache/sbin/suexec".<br />
+    "/usr/local/apache2/sbin/suexec".<br />
      Please note that you need <strong><em>root
     privileges</em></strong> for the installation step. In order
     for the wrapper to set the user ID, it must be installed as
     owner <code><em>root</em></code> and must have the setuserid
     execution bit set for file modes.</p>
 
+    <p><strong>Setting paranoid permissions</strong><br />
+    Allthough the suexec wrapper will check to ensure that its
+    caller is the correct user as specified with the
+    "--with-suexec-caller" configure option, there is always the
+    possiblity that a system or library call suexec uses before
+    this check may be exploitable on your system. To counter this,
+    and because it is best-practise in general, you should use 
+    filesystem permissions to ensure that only the group apache 
+    runs as may execute suexec.</p>
+
+    <p>If for example, your webserver is configured to run as;</p>
+
+<div class="example"><p><code>
+    User www<br />
+    Group webgroup<br />
+</code></p></div>
+
+    <p>and suexec is installed at "/usr/local/apache2/sbin/suexec", you 
+    should run:</p>
+
+<div class="example"><p><code>
+    chgrp webgroup /usr/local/apache2/bin/suexec<br />
+    chmod 4750 /usr/local/apache2/bin/suexec<br />
+</code></p></div>
+
+    <p>This will ensure that only the group apache runs as can even
+    execute the suexec wrapper.</p>
 </div><div class="top"><a href="#page-header"><img alt="top" src="./images/up.gif"
/></a></div>
 <div class="section">
 <h2><a name="enable" id="enable">Enabling &amp; Disabling
Index: manual/suexec.xml
===================================================================
RCS file: /home/cvspublic/httpd-2.0/docs/manual/suexec.xml,v
retrieving revision 1.9
diff -u -r1.9 suexec.xml
--- manual/suexec.xml	25 Jul 2003 18:31:25 -0000	1.9
+++ manual/suexec.xml	1 Sep 2003 12:01:47 -0000
@@ -96,6 +96,16 @@
 
     <ol>
       <li>
+        <strong>Is the user executing this wrapper a valid user of
+        this system?</strong> 
+
+        <p class="indent">
+          This is to ensure that the user executing the wrapper is
+          truly a user of the system.
+        </p>
+     </li>
+
+     <li>
         <strong>Was the wrapper called with the proper number of
         arguments?</strong> 
 
@@ -110,16 +120,6 @@
       </li>
 
       <li>
-        <strong>Is the user executing this wrapper a valid user of
-        this system?</strong> 
-
-        <p class="indent">
-          This is to ensure that the user executing the wrapper is
-          truly a user of the system.
-        </p>
-      </li>
-
-      <li>
         <strong>Is this valid user allowed to run the
         wrapper?</strong> 
 
@@ -216,11 +216,12 @@
       </li>
 
       <li>
-        <strong>Does the directory in which the target CGI/SSI program
-        resides exist?</strong> 
+        <strong>Can we change directory to the one in which the target CGI/SSI program
+        resides?</strong> 
 
         <p class="indent">
-          If it doesn't exist, it can't very well contain files.
+          If it doesn't exist, it can't very well contain files. If we can't
+          change directory to it, it might aswell not exist.
         </p>
       </li>
 
@@ -416,10 +417,10 @@
 
 <example>
     suEXEC setup:<br />
-            suexec binary: /usr/local/apache/sbin/suexec<br />
-            document root: /usr/local/apache/share/htdocs<br />
+            suexec binary: /usr/local/apache2/sbin/suexec<br />
+            document root: /usr/local/apache2/share/htdocs<br />
            userdir suffix: public_html<br />
-                  logfile: /usr/local/apache/var/log/suexec_log<br />
+                  logfile: /usr/local/apache2/var/log/suexec_log<br />
                 safe path: /usr/local/bin:/usr/bin:/bin<br />
                 caller ID: www<br />
           minimum user ID: 100<br />
@@ -436,13 +437,40 @@
     command "make install" to install them. The binary image
     "suexec" is installed in the directory defined by the --sbindir
     option. Default location is
-    "/usr/local/apache/sbin/suexec".<br />
+    "/usr/local/apache2/sbin/suexec".<br />
      Please note that you need <strong><em>root
     privileges</em></strong> for the installation step. In order
     for the wrapper to set the user ID, it must be installed as
     owner <code><em>root</em></code> and must have the setuserid
     execution bit set for file modes.</p>
 
+    <p><strong>Setting paranoid permissions</strong><br />
+    Allthough the suexec wrapper will check to ensure that its
+    caller is the correct user as specified with the
+    "--with-suexec-caller" configure option, there is always the
+    possiblity that a system or library call suexec uses before
+    this check may be exploitable on your system. To counter this,
+    and because it is best-practise in general, you should use 
+    filesystem permissions to ensure that only the group apache 
+    runs as may execute suexec.</p>
+
+    <p>If for example, your webserver is configured to run as;</p>
+
+<example>
+    User www<br />
+    Group webgroup<br />
+</example>
+
+    <p>and suexec is installed at "/usr/local/apache2/sbin/suexec", you 
+    should run:</p>
+
+<example>
+    chgrp webgroup /usr/local/apache2/bin/suexec<br />
+    chmod 4750 /usr/local/apache2/bin/suexec<br />
+</example>
+
+    <p>This will ensure that only the group apache runs as can even
+    execute the suexec wrapper.</p>
 </section>
 
 <section id="enable"><title>Enabling &amp; Disabling
-- 
Colm MacCárthaigh                        Public Key: colm+pgp@stdlib.net
colm@stdlib.net					  http://www.stdlib.net/

---------------------------------------------------------------------
To unsubscribe, e-mail: docs-unsubscribe@httpd.apache.org
For additional commands, e-mail: docs-help@httpd.apache.org


Mime
View raw message