Return-Path: 
 <users-return-7116-apmail-httpd-users-archive=httpd.apache.org@httpd.apache.org>
Delivered-To: apmail-httpd-users-archive@httpd.apache.org
Received: (qmail 19446 invoked by uid 500); 14 May 2002 04:13:21 -0000
Mailing-List: contact users-help@httpd.apache.org; run by ezmlm
Precedence: bulk
Reply-To: users@httpd.apache.org
list-help: <mailto:users-help@httpd.apache.org>
list-unsubscribe: <mailto:users-unsubscribe@httpd.apache.org>
list-post: <mailto:users@httpd.apache.org>
Delivered-To: mailing list users@httpd.apache.org
Received: (qmail 19432 invoked from network); 14 May 2002 04:13:19 -0000
Received: from pcp490536pcs.nash01.tn.comcast.net (HELO ariel.karmak.org)
 (68.53.1.252)
  by daedalus.apache.org with SMTP; 14 May 2002 04:13:19 -0000
Received: from localhost (localhost [127.0.0.1])
  (uid 1)
  by ariel.karmak.org with local; Tue, 14 May 2002 04:12:50 +0000
Date: Tue, 14 May 2002 04:12:50 +0000
From: Michael Carmack <karmak@karmak.org>
To: users@httpd.apache.org
Subject: Re: Removing an suexec check
Message-ID: <20020514041250.GD5677@ariel.karmak.org>
References: <20020510071128.GA27697@ariel.karmak.org>
 <Pine.GSO.4.31.0205100734200.7498-100000@garibaldi.commerce.ubc.ca>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
In-Reply-To: 
 <Pine.GSO.4.31.0205100734200.7498-100000@garibaldi.commerce.ubc.ca>
User-Agent: Mutt/1.3.24i
X-Spam-Rating: daedalus.apache.org 1.6.2 0/1000/N

On Fri, May 10, 2002 at 07:40:06AM -0700, Joshua Slive wrote:
> 
> I think you are missing an important point.  Again, consider the case
> where someone compromises the apache userid.  Then they would have
> available to them a program (suexec) that could run any accessible program
> under any userid they wanted.  This would likely allow them to quickly
> compromise any userid on the system.

I see your point.

Suppose I'm in a virtual hosting environment, where I set the User and
Group directives for every request, causing all of the vhosts (including
the default <VirtualHost *>) to run under a unique User/Group, none of
which are the apache User/Group. Furthermore, access to CGI outside the
each vhost's document root is prohibited by default, so only those CGI
scripts that have been explicitly requested will be available to any
given vhost.

Can you think of a way (short of a unknown software glitch) that this
environment can be exploited if the suexec uid/gid/suid/sgid checks are
skipped? If I understand things correctly, with this setup CGI should 
never be executed under the Apache UID/GID (preventing arbitrary suexec
calls), and CGI will only be run under a vhost UID when explicitly
requested (preventing execution of insecure code).

m.


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org