httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Joshua Slive <jos...@slive.ca>
Subject Re: [users@httpd] VirutalHosts and suexec
Date Mon, 07 Oct 2002 18:30:24 GMT
Eli wrote:

> I think the best way for suexec to handle this sort of thing would be if
> it could actually read the DocumentRoot directive of the VirtualHost
> that's being used for the call to suexec.  I have no idea if this is
> easily do-able since suexec isn't an Apache module, and I don't know the
> security implications of maybe having the path specified as a command
> line argument, so I guess this is more of a "has anyone else ran into
> this barrier" as well as a topic of discussion as to whether or not
> suexec should be changed.

There is no safe way for Apache and suexec to communicate configuration 
details like that.  For example, someone could write a program to behave 
like apache, but pass an arbitrary path in place of the document root, 
thereby allowing them to execute anything at all through suexec.  That 
is the reason that all suexec configuration must be compile-time.

> 
> My only thought on a temporary solution is to use a document root of "/"
> for suexec, but then that may open up other security problems that I
> can't think of right now (suexec checks for "../" and "/" in the command
> to run, and all URLs are translated by Apache before being sent to
> suexec I think...).

As you guess, using "/" as the document root is not a good idea, because 
you allow suexec to execute anything at all on the system (subject to 
its other restrictions).  This could allow someone who compromises the 
apache userid to gain other priveleges on the system.

It should be possible, and relatively safe, to modify suexec to have a 
list of acceptable document root paths.  But it is unlikely that 
something like this will make its way into apache, because part of the 
reason that suexec remains secure is because it remains simple.

Joshua.


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message