Return-Path: Delivered-To: apmail-httpd-users-archive@httpd.apache.org Received: (qmail 26709 invoked by uid 500); 23 Jul 2003 13:50:59 -0000 Mailing-List: contact users-help@httpd.apache.org; run by ezmlm Precedence: bulk Reply-To: users@httpd.apache.org list-help: list-unsubscribe: list-post: Delivered-To: mailing list users@httpd.apache.org Received: (qmail 26662 invoked from network); 23 Jul 2003 13:50:59 -0000 Received: from out2.smtp.messagingengine.com (HELO mail.messagingengine.com) (66.111.4.26) by daedalus.apache.org with SMTP; 23 Jul 2003 13:50:59 -0000 Received: from mail.messagingengine.com (localhost [127.0.0.1]) by localhost.localdomain (Postfix) with ESMTP id 0D15152B88 for ; Wed, 23 Jul 2003 09:51:00 -0400 (EDT) Received: from 10.202.2.150 ([10.202.2.150] helo=mail.messagingengine.com) by messagingengine.com with SMTP; Wed, 23 Jul 2003 09:51:00 -0400 X-Epoch: 1058968260 X-Sasl-enc: +jT2IoiCfk44ZxvNUtSACg Received: from usager70-65.hec.ca (usager70-65.hec.ca [132.211.70.65]) by www.fastmail.fm (Postfix) with ESMTP id 3146B583F5 for ; Wed, 23 Jul 2003 09:50:03 -0400 (EDT) Date: Wed, 23 Jul 2003 09:47:43 -0400 (=?ISO-8859-1?Q?Est_=28heure_d'=E9t=E9=29?=) From: Joshua Slive To: users@httpd.apache.org In-Reply-To: <20030723111314.5678.qmail@web14706.mail.yahoo.com> Message-ID: References: <20030723111314.5678.qmail@web14706.mail.yahoo.com> X-X-Sender: slive@www.fastmail.fm MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=ISO-8859-1 Content-Transfer-Encoding: 8BIT X-Spam-Rating: daedalus.apache.org 1.6.2 0/1000/N Subject: Re: [users@httpd] Secure Apache VirtualHost and suEXEC Support On Wed, 23 Jul 2003, Sagara Wijetunga wrote: > (1) Referring to point 13 (Is the directory within the > Apache webspace?) under the �suEXEC Security Model� of > the �suEXEC Support documentation� > (http://httpd.apache.org/docs-2.0/suexec.html); > Does this means you have to organize all your > directories and files under your virtual host�s > DocumentRoot (including CGIs and restricted > resources)? No. The document root being referred to here is the suexec docroot (the one specified in the --with-suexec-docroot=DIR argument when compiling. This does not necessarily need to be the same as the DocumentRoot specified in httpd.conf. > (3) According to point 4 (Does the target program have > an unsafe hierarchical reference?) under the �suEXEC > Security Model� of the �suEXEC Support documentation�, > Apache does not allow leading '/' or have a '..' back > reference. > > What�s the meaning of this? Is the documentation > referring to file path references inside the source of > the CGI program? > > Can the Apache check unsafe file references inside the > source of the CGI program before it run the CGI > program and fail if it does? No, this only refers to the path to the cgi script that is passed to suexec. Under normal circumstances, apache will not pass unsafe paths to suexec, so this restriction is really only intended to cover people trying to exploit suexec from outside apache. > (4) For a given Virtual Host under the suEXEC, Apache > logs are written under what user? Apache�s user id > (nobody) or suEXEC user id? Apache's main logs are always opened under the id of the user who starts apache (usually root). Suexec affects only cgi scripts, not the normal operation of the server. Joshua. --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See for more info. To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org " from the digest: users-digest-unsubscribe@httpd.apache.org For additional commands, e-mail: users-help@httpd.apache.org