httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Sagara Wijetunga <sagarali...@yahoo.com>
Subject Re: [users@httpd] Secure Apache VirtualHost and suEXEC Support
Date Wed, 23 Jul 2003 11:13:14 GMT
Dear Joshua

Thanks for your reply but I would like to clarify
certain points which worry me very much regarding
suEXEC.

(1) Referring to point 13 (Is the directory within the
Apache webspace?) under the “suEXEC Security Model” of
the “suEXEC Support documentation”
(http://httpd.apache.org/docs-2.0/suexec.html);
 Does this means you have to organize all your
directories and files under your virtual host’s
DocumentRoot (including CGIs and restricted
resources)?
 
If it is, this put you to high risk. It is dangerous
and not a good practice to put your cgi-bin and other
restricted resources under the publicly accessible
DocumentRoot even though you can control the access
thru Unix file privileges.

Can I organize cgi-bin, restricted resources and logs
directories outside of the DocumentRoot?

(3) According to point 4 (Does the target program have
an unsafe hierarchical reference?) under the “suEXEC
Security Model” of the “suEXEC Support documentation”,
Apache does not allow leading '/' or have a '..' back
reference.

What’s the meaning of this? Is the documentation
referring to file path references inside the source of
the CGI program?

Can the Apache check unsafe file references inside the
source of the CGI program before it run the CGI
program and fail if it does? 

(4) For a given Virtual Host under the suEXEC, Apache
logs are written under what user? Apache’s user id
(nobody) or suEXEC user id? 

An early reply is very much appreciated. 
Thanks.
Sagara


--- Joshua Slive <joshua@slive.ca> wrote:
> 
> On Tue, 22 Jul 2003, Sagara Wijetunga wrote:
> > 1.	Is there a way to specify the Virtual Host Root
> and
> > its DocumentRoot separately for a particular
> Virtual
> > Host?
> 
> > 2.	Is it possible to keep the cgi-bin directory
> for a
> > particular Virtual Host under its Virtual Host
> Root,
> > but NOT under its DocumentRoot?
> 
> Yes, you should be able to set the
> --with-document-root argument when you
> compile apache to be the parent of all your
> websites, /var/websites in
> your case.  Remember that the suexec document root
> does not need to be the
> same as any DocumentRoot in your config files.
> 
> > 3.	Is it possible to restrict the scope for CGI
> > scripts to read resources (eg. Files) ONLY from
> any
> > directory under its Virtual Host Root, but NOT
> above
> > its Virtual Host Root?
> 
> This is something between you and your scripting
> language/shell.  Neither
> apache nor suexec can control what a script does
> after it is executed,
> other than by setting its priveleges.  In general,
> the answer to this
> question is "no".  But you should be able to make
> careful use of unix
> priveleges to assure that users can't do bad things.
> 
> Joshua.
> 
>
---------------------------------------------------------------------
> The official User-To-User support forum of the
> Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for
> more info.
> To unsubscribe, e-mail:
> users-unsubscribe@httpd.apache.org
>    "   from the digest:
> users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail:
> users-help@httpd.apache.org
> 


__________________________________
Do you Yahoo!?
Yahoo! SiteBuilder - Free, easy-to-use web site design software
http://sitebuilder.yahoo.com

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message