httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Joshua Slive <jos...@slive.ca>
Subject Re: [users@httpd] Secure Apache VirtualHost and suEXEC Support
Date Wed, 23 Jul 2003 13:47:43 GMT

On Wed, 23 Jul 2003, Sagara Wijetunga wrote:
> (1) Referring to point 13 (Is the directory within the
> Apache webspace?) under the “suEXEC Security Model” of
> the “suEXEC Support documentation”
> (http://httpd.apache.org/docs-2.0/suexec.html);
>  Does this means you have to organize all your
> directories and files under your virtual host’s
> DocumentRoot (including CGIs and restricted
> resources)?

No.  The document root being referred to here is the suexec docroot (the
one specified in the --with-suexec-docroot=DIR argument when compiling.
This does not necessarily need to be the same as the DocumentRoot
specified in httpd.conf.

> (3) According to point 4 (Does the target program have
> an unsafe hierarchical reference?) under the “suEXEC
> Security Model” of the “suEXEC Support documentation”,
> Apache does not allow leading '/' or have a '..' back
> reference.
>
> What’s the meaning of this? Is the documentation
> referring to file path references inside the source of
> the CGI program?
>
> Can the Apache check unsafe file references inside the
> source of the CGI program before it run the CGI
> program and fail if it does?

No, this only refers to the path to the cgi script that is passed to
suexec.  Under normal circumstances, apache will not pass unsafe paths to
suexec, so this restriction is really only intended to cover people trying
to exploit suexec from outside apache.

> (4) For a given Virtual Host under the suEXEC, Apache
> logs are written under what user? Apache’s user id
> (nobody) or suEXEC user id?

Apache's main logs are always opened under the id of the user who starts
apache (usually root).  Suexec affects only cgi scripts, not the normal
operation of the server.

Joshua.

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message