httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Lukas Erlacher <erlac...@in.tum.de>
Subject [users@httpd] mod_cgid socket permissions
Date Thu, 20 Oct 2016 09:06:28 GMT
Hello,

I am running an apache 2.4 server (2.4.18-2ubuntu3.1) on Ubuntu 16.04 
with mod_userdir, mod_suexec_custom, mod_cgid and php5.6-cgi.

Users can place arbitrary documents and scripts in their userdirs and 
are not considered trusted, so should not be able to interfere with 
anything except their own scripts and should not be able to do anything 
other than have apache execute their scripts with their

https://httpd.apache.org/docs/2.4/mod/mod_cgid.html#scriptsock says:
> The socket will be opened using the permissions of the user who starts Apache (usually
root). To maintain the security of communications with CGI scripts, it is important that no
other user has permission to write in the directory where the socket is located.

To make CGID work with suexec+userdir, I've had to change the socket to 
make it group-owned by www-data and with g+w set:

> me@box:~$ ls -al /var/run/apache2/
> total 4
> drwxr-xr-x  2 root     root       80 Oct 20 09:09 .
> drwxr-xr-x 25 root     root     1000 Oct 20 10:38 ..
> -rw-r--r--  1 root     root        5 Oct 20 09:09 apache2.pid
> srwx-w----  1 www-data www-data    0 Oct 20 09:09 cgisock.9822

I hacked up the init script to perform this, by adding the following to 
apache_wait_start:

> for sockfile in /var/run/apache2/cgisock.*; do
>         if [ -S "$sockfile" ]; then
>                 chown www-data:www-data /var/run/apache2/cgisock.*
>                 chmod g+w /var/run/apache2/cgisock.*
>                 break
>         fi
> done

This works because suexec apparently retains the www-data group membership.

(Here's the output of a php script that echos posix_getuid() and runs 
system('id -a'):

> 31524
> uid=31524(erlacher) gid=20909(tumuser) groups=20909(tumuser),0(root),4(adm),33(www-data),108(syslog),5177(sambarbg),9044(rbg),14777(ljfs),16693(desktop)

Ignore the "root" group, that's part of my groups. Of course it would be 
nice to have suexec drop groups, but that's not a feature that exists...
)

Now, getting back to the statement in the apache docs: Is this a 
security violation / vulnerability? What can an attacker do with that 
socket other than execute arbitrary programs on the machine using their 
own permissions (plus www-data group)? They can already do that by 
virtue of being able to place arbitrary cgi scripts in their userdirs.

Thank you for any thoughts or pointers!

Best regards,
Luke


Mime
View raw message