httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Michael Carmack <kar...@karmak.org>
Subject Removing an suexec check
Date Fri, 10 May 2002 07:11:28 GMT

A security question:

I have a virtual hosting environment where every vhost is assigned a 
unique uid/gid. These are arranged in directories correspond to their
domains:

/net/
    |- domain1.com/
    |             |- home
    |             |- www
    |
    |- domain2.com/
    |             |- home
    |             |- www


Now, on other parts of the filesystem I have cgi programs that have come
from third-parties, e.g.:

/pkg/
    |- awstats/
    |         |- bin/
    |               |- awstats.pl
    | 
    |- courier/
    |         |- www/
    |               |- webmail.cgi


What I'd like to be able to do is allow the vhosts to run the cgi programs
that come from third parties *without* having to place a copy of every cgi
in each domain's hierarchy.

Without suexec turned on, this works fine. Domains are allowed to share
common CGI scripts, and if a particular cgi is suid (e.g. the webmail
program), then it runs suid.

These things break after turning on suexec for the vhosts. The awstats.pl 
and webmail.cgi won't run, because they aren't owned by the vhost calling
them. I could give a copy of awstats.pl to every vhost, but then I lose
all the benefits of modularization. And this won't even work for webmail,
because suexec prohibits suid.

Presumably, if I get rid of the suexec checks for uid/gid/suid/sgid, I get
the desired behavior, which is for all vhosts to be allowed to run any cgi
on the system either (1) under their own uid/gid, or (2) suid/sgid if the
cgi is marked as such.

A couple relevant points:

I allow vhosts to use custom cgi anyway, so there's nothing that prevents
them from uploading any program already on the system and running it out
of their home directories. This seems to negate the protection offered by
the uid/gid check.

Also, I'm not concerned about the vhosts running programs suid. As the
administrator, if a program is set suid on my system, I intend for it to
be run suid. All vhosts have shell accounts anyway, so the security
offered by the suid/sgid check also seems to be negated.

The question is: Does removing the uid/gid/suid/sgid checks from suexec
pose any greater security threat given this environement?

m.




---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message