Return-Path: Delivered-To: apmail-httpd-users-archive@httpd.apache.org Received: (qmail 43148 invoked by uid 500); 7 Oct 2002 18:33:32 -0000 Mailing-List: contact users-help@httpd.apache.org; run by ezmlm Precedence: bulk Reply-To: users@httpd.apache.org list-help: list-unsubscribe: list-post: Delivered-To: mailing list users@httpd.apache.org Received: (qmail 43137 invoked from network); 7 Oct 2002 18:33:31 -0000 Received: from venus.commerce.ubc.ca (137.82.154.16) by daedalus.apache.org with SMTP; 7 Oct 2002 18:33:31 -0000 Received: from exchange.commerce.ubc.ca ([137.82.66.44]) by venus.commerce.ubc.ca (8.9.3/8.9.3) with ESMTP id KAA01079 for ; Mon, 7 Oct 2002 10:22:56 -0700 Received: from slive.ca (132.211.73.134 [132.211.73.134]) by exchange.commerce.ubc.ca with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2656.59) id S64M8L1D; Mon, 7 Oct 2002 11:32:15 -0700 Message-ID: <3DA1D2C0.90107@slive.ca> Date: Mon, 07 Oct 2002 14:30:24 -0400 From: Joshua Slive User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.1) Gecko/20020826 X-Accept-Language: en-us, en, fr MIME-Version: 1.0 To: users@httpd.apache.org References: <000901c26e2d$deefdb00$0200000a@eliwinxp> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit X-Spam-Rating: daedalus.apache.org 1.6.2 0/1000/N Subject: Re: [users@httpd] VirutalHosts and suexec Eli wrote: > I think the best way for suexec to handle this sort of thing would be if > it could actually read the DocumentRoot directive of the VirtualHost > that's being used for the call to suexec. I have no idea if this is > easily do-able since suexec isn't an Apache module, and I don't know the > security implications of maybe having the path specified as a command > line argument, so I guess this is more of a "has anyone else ran into > this barrier" as well as a topic of discussion as to whether or not > suexec should be changed. There is no safe way for Apache and suexec to communicate configuration details like that. For example, someone could write a program to behave like apache, but pass an arbitrary path in place of the document root, thereby allowing them to execute anything at all through suexec. That is the reason that all suexec configuration must be compile-time. > > My only thought on a temporary solution is to use a document root of "/" > for suexec, but then that may open up other security problems that I > can't think of right now (suexec checks for "../" and "/" in the command > to run, and all URLs are translated by Apache before being sent to > suexec I think...). As you guess, using "/" as the document root is not a good idea, because you allow suexec to execute anything at all on the system (subject to its other restrictions). This could allow someone who compromises the apache userid to gain other priveleges on the system. It should be possible, and relatively safe, to modify suexec to have a list of acceptable document root paths. But it is unlikely that something like this will make its way into apache, because part of the reason that suexec remains secure is because it remains simple. Joshua. --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See for more info. To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org " from the digest: users-digest-unsubscribe@httpd.apache.org For additional commands, e-mail: users-help@httpd.apache.org