www-apache-bugdb mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Greg Colyer <g...@elysium.demon.co.uk>
Subject suexec/1469: suexec allows intermediate directories with unsafe permissions
Date Mon, 24 Nov 1997 11:42:28 GMT

>Number:         1469
>Category:       suexec
>Synopsis:       suexec allows intermediate directories with unsafe permissions
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    apache
>State:          open
>Class:          sw-bug
>Submitter-Id:   apache
>Arrival-Date:   Mon Nov 24 03:50:00 PST 1997
>Last-Modified:
>Originator:     greg@elysium.demon.co.uk
>Organization:
apache
>Release:        1.2.4
>Environment:
Linux 2.0.30
>Description:
If suexec is run from the command line in directory dir, with a target command
of subdir/script.cgi, tests will be done on dir and on script.cgi, but not
on subdir, which may therefore be owned by someone else, world-writable, etc.

It seems that suexec would always be called by Apache with working directory
subdir in this case, so the security hole matters only when suexec is run from
the command line, as far as I know.
>How-To-Repeat:
See above.
>Fix:
Some protection is given by installing suexec with ownership root/httpd (server
running as httpd/httpd) and permissions 4710, not 4711 as suggested. I recommend
changing this in the documentation anyway. Note that if any scripts are run
without suexec (i.e. as httpd/httpd) then they will still be able to call suexec
themselves. Along with this, therefore, it should be recommended that a
<VirtualHost _default_> with User cgi and Group cgi (say) is always used
with suexec.

It would be even better to disallow '/' completely from the target command.
(Patch available on request.) This relies on suexec being passed the relative
pathname of the target command, which is what (at present) Apache does
>Audit-Trail:
>Unformatted:
[In order for any reply to be added to the PR database, ]
[you need to include <apbugs@Apache.Org> in the Cc line ]
[and leave the subject line UNCHANGED.  This is not done]
[automatically because of the potential for mail loops. ]




Mime
View raw message