httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Joshua Slive <jsl...@gmail.com>
Subject Re: [users@httpd] SuExec and symlinks
Date Mon, 19 Sep 2005 12:57:01 GMT
On 9/19/05, Oscar Haeger <Oscar.Haeger@nbit.sigma.se> wrote:
> What I'd like to know is if SuExec somehow prevents me from running scripts via
> symlinks.
> I have a webserver with SuExec installed and I'd like to be able to run scripts
> that resides in other peoples cgi-bin directories. I've tested this but haven't
> been able to get it to work.

Well, yeah.  Allowing anything symlinked to get executed by suexec
would violate the basic security model.  I agree that neither the
error message nor the docs are very explicit about this, but I think
the assumption is that security-minded people will know that a program
like suexec must forbid symlinks to do its job.

If you know a little c, then reading the suexec.c source code makes
things clear:
    /*
     * Error out if we cannot stat the program.
     */
    if (((lstat(cmd, &prg_info)) != 0) || (S_ISLNK(prg_info.st_mode))) {
        log_err("cannot stat program: (%s)\n", cmd);
        exit(117);
    }

Joshua.

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message