www-apache-bugdb mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Patrick Rigney <patr...@evocative.com>
Subject Re: suexec/1001: Potential group security hole with suexec
Date Wed, 20 May 1998 06:24:24 GMT
brian@hyperreal.org wrote:
> 
> [In order for any reply to be added to the PR database, ]
> [you need to include <apbugs@Apache.Org> in the Cc line ]
> [and leave the subject line UNCHANGED.  This is not done]
> [automatically because of the potential for mail loops. ]
> 
> Synopsis: Potential group security hole with suexec
> 
> State-Changed-From-To: open-closed
> State-Changed-By: brian
> State-Changed-When: Tue May 19 21:48:27 PDT 1998
> State-Changed-Why:
> yeah, better never than late, eh?  :)
> 
> To be honest I don't see the security hole present here.
> The whole point of suexec is to put the same protections
> around the CGI that Unix puts around its users.  A poorly
> written and exploitable CGI, under suexec, can do as much
> damage to the OS as the user whose userid it runs under can
> also do.  This is not a chroot jail and doesn't try to be.
> 
> If we were to implement a warning or check, chances are the
> volume of bug reports we'd get about it would overwhelm us,
> as everyone testing "suexec" for the first time will be someone
> who has wheel group membership (etc.) since they had to become
> root to install suexec.
> 
> Thanks for the note, though, it was good food for thought.

Brian, I understand and agree.  I think it would be worth pointing out,
however, that the "Group" directive specified in the config file is, as
is generally the case but easily forgotten, a specification of the
primary group, and not necessarily all the groups to which a user may
belong.  I'd rather have seen it in the documentation and kick myself
for not paying attention than see it in a CERT advisory.

Thanks for the note.
Patrick

Mime
View raw message