httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Sagara Wijetunga <sagarali...@yahoo.com>
Subject Re: [users@httpd] Secure Apache VirtualHost and suEXEC Support
Date Thu, 24 Jul 2003 14:10:10 GMT
Dear Joshua

Thanks for your clarification.

What really confuse me was the point 13 (Is the
directory within the Apache webspace?) under the
“suEXEC Security Model” of the “suEXEC Support
documentation”
(http://httpd.apache.org/docs-2.0/suexec.html).

The point 13 should have better written as “If the
request is for a regular portion of the server, is the
requested directory within the suEXEC's docroot
(--with-suexec-docroot=DIR)?”

Sagara

--- Joshua Slive <joshua@slive.ca> wrote:
> 
> On Wed, 23 Jul 2003, Sagara Wijetunga wrote:
> > (1) Referring to point 13 (Is the directory within
> the
> > Apache webspace?) under the “suEXEC Security
> Model” of
> > the “suEXEC Support documentation”
> > (http://httpd.apache.org/docs-2.0/suexec.html);
> >  Does this means you have to organize all your
> > directories and files under your virtual host’s
> > DocumentRoot (including CGIs and restricted
> > resources)?
> 
> No.  The document root being referred to here is the
> suexec docroot (the
> one specified in the --with-suexec-docroot=DIR
> argument when compiling.
> This does not necessarily need to be the same as the
> DocumentRoot
> specified in httpd.conf.
> 
> > (3) According to point 4 (Does the target program
> have
> > an unsafe hierarchical reference?) under the
> “suEXEC
> > Security Model” of the “suEXEC Support
> documentation”,
> > Apache does not allow leading '/' or have a '..'
> back
> > reference.
> >
> > What’s the meaning of this? Is the documentation
> > referring to file path references inside the
> source of
> > the CGI program?
> >
> > Can the Apache check unsafe file references inside
> the
> > source of the CGI program before it run the CGI
> > program and fail if it does?
> 
> No, this only refers to the path to the cgi script
> that is passed to
> suexec.  Under normal circumstances, apache will not
> pass unsafe paths to
> suexec, so this restriction is really only intended
> to cover people trying
> to exploit suexec from outside apache.
> 
> > (4) For a given Virtual Host under the suEXEC,
> Apache
> > logs are written under what user? Apache’s user id
> > (nobody) or suEXEC user id?
> 
> Apache's main logs are always opened under the id of
> the user who starts
> apache (usually root).  Suexec affects only cgi
> scripts, not the normal
> operation of the server.
> 
> Joshua.
> 
>
---------------------------------------------------------------------
> The official User-To-User support forum of the
> Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for
> more info.
> To unsubscribe, e-mail:
> users-unsubscribe@httpd.apache.org
>    "   from the digest:
> users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail:
> users-help@httpd.apache.org
> 


__________________________________
Do you Yahoo!?
Yahoo! SiteBuilder - Free, easy-to-use web site design software
http://sitebuilder.yahoo.com

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message