httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Michael Carmack <kar...@karmak.org>
Subject Re: suexec questions
Date Fri, 10 May 2002 17:05:41 GMT
On Fri, May 10, 2002 at 12:04:25AM -0400, Joshua Slive wrote:
> Michael Carmack wrote:
> >Two quick suexec questions:
> >
> >1. What security risks are involved in setting "suexec-docroot=/"? 
> >   (Purpose: To allow virtual hosts to run cgi programs anywhere on 
> >   the filesystem.)
> 
> 
> The security risk is that you allow programs to run anywhere on the 
> filesystem.
> 
> Consider the case where someone manages to compromise the apache userid. 
>  Then this person would be able to run almost any program on the system 
> with the permission of that program's owner (subject to one or two other 
> suexec constraints -- they probably couldn't run as root).  Nasty!

If Apache has under a unique uid/gid and non-password account, is this 
still a threat? It seems the only way to get to the apache userid in such 
a case would be to go through root, but at that point security has already 
been fully comprimised anyway.

m.


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message