httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Lewis Watson" <li...@visionsix.com>
Subject Re: SUExec running correct
Date Mon, 24 Jun 2002 14:12:17 GMT

----- Original Message -----
From: "Jochen Kaechelin" <jk@wa-p.de>
To: <users@httpd.apache.org>
Sent: Monday, June 24, 2002 8:04 AM
Subject: SUExec running correct


I just compiled 1.3.26 with

./configure --prefix=/usr/local/apache \
--activate-module=src/modules/php4/libphp4.a \
--activate-module=src/modules/fastcgi/mod_fastcgi.a \
--activate-module=src/modules/python/libpython.a \
--activate-module=src/modules/perl/libperl.a \
--enable-suexec \
--suexec-docroot=/www \
--suexec-caller=nobody

and everything is working fine.

/usr/local/apache/bin/httpd -l show the following:

  http_core.c
  mod_env.c
  mod_log_config.c
  mod_mime.c
  mod_negotiation.c
  mod_status.c
  mod_include.c
  mod_autoindex.c
  mod_dir.c
  mod_cgi.c
  mod_asis.c
  mod_imap.c
  mod_actions.c
  mod_userdir.c
  mod_alias.c
  mod_access.c
  mod_auth.c
  mod_setenvif.c
  mod_php4.c
  mod_fastcgi.c
  mod_python.c
  mod_perl.c

suexec: enabled; valid wrapper /usr/local/apache/bin/suexec

How can I check if suexec is installed, so that there are no
security holes remaining? Some Scripts?

Apache runs as nobody.nobody!
When I start a php-Script apache executes the script with it's
username und group, correct?

When I set a <VirtualHost> container:

<VirtualHost>
...
User jochen
Group jochen
....
</VirtualHost>

the php-script should run with user jochen and group jochen,
correct?

In the error_log I find something like:

[Mon Jun 24 12:57:17 2002] [notice] Apache/1.3.26 (Unix)
mod_perl/1.27 mod_python/2.7.8 Python/2.1 mod_fastcgi/2.2.12
PHP/4.2.1
 configured -- resuming normal operations
[Mon Jun 24 12:57:17 2002] [notice] suEXEC mechanism enabled
(wrapper: /usr/local/apache/bin/suexec)
[Mon Jun 24 12:57:17 2002] [notice] Accept mutex: sysvsem (Default:
sysvsem)

Is everything ok, or are there still some security-holes?

--
Jochen K├Ąchelin


Hello Jochen.
Suexec does increase scripting security but there are more aspects to
security. A good start is at

http://httpd.apache.org/docs/misc/security_tips.html

You probably already know that but just wanted to point it out.

Also, to get the security benefit of suexec the script MUST be  CGI or SSI
so using php as a module you lose the suexec safety in php. There are a few
patches on the net for suexec type safety with php but after my research I
decided to use php as a cgi, not module, this way I get the suexec checks
even on php scripts which can be verified by seeing the entry in the cgi.log
file. Other than that yes, the script would fire as user 'jochen' as in your
virtual host example.

Basically, if you want php to go through suexec then run php as a cgi.
Hope this helps....
Lewis Watson








---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message