www-apache-bugdb mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Marc Slemko <ma...@znep.com>
Subject Re: suexec/2241: suEXEC won't execute anything not under DOC_ROOT from suexec.h
Date Wed, 20 May 1998 20:10:01 GMT
The following reply was made to PR suexec/2241; it has been noted by GNATS.

From: Marc Slemko <marcs@znep.com>
To: Alex Semenyaka <alexs@snark.rinet.ru>
Cc: Apache bugs database <apbugs@apache.org>
Subject: Re: suexec/2241: suEXEC won't execute anything not under DOC_ROOT from suexec.h
Date: Wed, 20 May 1998 13:39:04 -0600 (MDT)

 On Mon, 18 May 1998, Alex Semenyaka wrote:
 
 > > State-Changed-From-To: open-closed
 > > State-Changed-By: marc
 > > State-Changed-When: Sun May 17 07:17:26 PDT 1998
 > > State-Changed-Why:
 > > suexec is the way it is for a reason; letting it blindly
 > > trust the environment variable it is passed opens up a security hole
 > > by allowing anyone who can run suexec (ie. as the user that
 > > is defined in suexec.h) to run _any_ program anywhere on
 > > disk, subject to the other restrictions.  This can have
 > > very serious security implications.
 > > 
 > > Again, suexec will only execute programs under a defined
 > > DOCUMENT_ROOT or in ~userdirs by design for security
 > > reasons.
 > 
 > That's right but I beleive that same trick can be done in the next manner:
 > 1) Create new group (httpd, for example)
 > 2) The only member of this group will be that pseudo-user, who is running httpd
 > (from httpd.conf). Make sure that this user has no shell (i.e. cannot login).
 > 3) Set owner for suexec as root/httpd
 > 4) Set permissions for suexec as 4010.
 > 
 > Nobody except with user running httpd can run suexec here. I suppose this
 > solution is secure enough, isn't it?
 
 No, it isn't.  We already check to be sure that the user running suexec is
 the user that httpd runs as.  Either someone can run a non-suexeced CGI or
 can perhaps find some other hole in the server to break into; your
 solution gives them full access.  There is _NO_ benefit to checking an
 environment variable for the document root; it is exactly the same as if
 you didn't bother checking.
 
 It is easy to make something with more functionality if you toss out
 security.  However, most of the places where suexec is limited it is
 limited for a very good reason. 
 
 > 
 > 							Sincerely yours,
 > 							Alex Semenyaka
 > 
 

Mime
View raw message