www-apache-bugdb mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Patrick Rigney <patr...@evocative.com>
Subject suexec/1001: Potential group security hole with suexec
Date Sat, 16 Aug 1997 20:40:01 GMT

>Number:         1001
>Category:       suexec
>Synopsis:       Potential group security hole with suexec
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    apache (Apache HTTP Project)
>State:          open
>Class:          sw-bug
>Submitter-Id:   apache
>Arrival-Date:   Sat Aug 16 13:40:01 1997
>Originator:     patrick@evocative.com
>Release:        1.2.1
FreeBSD 2.2.2-RELEASE, gcc
suexec will setuid/setgid to user who has group membership below GID_MIN.
For example, if a user "fred" with groups wheel(0) staff(20) and fred(1022) appears
in the User directive of a virtual host, and that vhost uses suexec, then
suexec cgis will run within "wheel" (and other above) group privs.  The Group
directive is not effective in limiting groups for the suexec, and in fact adds
to the group membership.  For example, specifying group "nobody" would make the
list of groups "nobody, wheel, staff, fred" for the above.  This can be easily
exploited if the user's CGI or cgi-bin is writable by other users (perhaps
through permission via other groups mentioned, e.g. staff).
Select/create a user with membership in a few low groups (< GID_MIN).  Create a
vhost and set it up for suexec, using that user in the User directive. A simple
shell CGI scipt that runs /usr/bin/whoami and /usr/bin/groups and displays their output will
show the effect.
The grouplist should be checked after setgid()/initgroups(), and at a minimum a 
warning issued to the log, perhaps with a compile-time option to abort.
Or (my personal preference) setgroups() could be used to limit the grouplist
to only that group specified in the Group directive, or only those >= GID_MIN

View raw message