Return-Path: 
 <apache-bugdb-return-5649-apmail-apache-bugdb-archive=apache.org@apache.org>
Delivered-To: apmail-apache-bugdb-archive@apache.org
Received: (qmail 73157 invoked by uid 500); 26 Mar 2001 18:00:05 -0000
Mailing-List: contact apache-bugdb-help@apache.org; run by ezmlm
Precedence: bulk
Reply-To: apache-bugdb@apache.org
list-help: <mailto:apache-bugdb-help@apache.org>
list-unsubscribe: <mailto:apache-bugdb-unsubscribe@apache.org>
list-post: <mailto:apache-bugdb@apache.org>
Delivered-To: mailing list apache-bugdb@apache.org
Received: (qmail 72930 invoked by uid 501); 26 Mar 2001 18:00:01 -0000
Resent-Date: 26 Mar 2001 18:00:01 -0000
Resent-Message-ID: <20010326180001.72929.qmail@apache.org>
Resent-From: submit@bugz.apache.org (GNATS Filer)
Resent-To: apache-bugdb@apache.org
Resent-Cc: apache-bugdb@apache.org
Resent-Reply-To: submit@bugz.apache.org, mark@somanetworks.com
Received: (qmail 68596 invoked by uid 501); 26 Mar 2001 17:55:24 -0000
Message-Id: <20010326175524.68595.qmail@apache.org>
Date: 26 Mar 2001 17:55:24 -0000
From: Mark Frazer <mark@somanetworks.com>
Reply-To: mark@somanetworks.com
To: submit@bugz.apache.org
X-Send-Pr-Version: 3.110
Subject: suexec/7466: Alias prevents suexec from wrapping cgi's


>Number:         7466
>Category:       suexec
>Synopsis:       Alias prevents suexec from wrapping cgi's
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    apache
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   apache
>Arrival-Date:   Mon Mar 26 10:00:00 PST 2001
>Closed-Date:
>Last-Modified:
>Originator:     mark@somanetworks.com
>Release:        1.3.12
>Organization:
apache
>Environment:
Linux jimmy.yyz.somanetworks.com 2.2.16-22 #1 Tue Aug 22 16:49:06 EDT 2000 i686 unknown
RedHat 7.0, as distributed
>Description:
I add the following alias to my httpd.conf
Alias /configuration/ /export/home/mjfrazer/public_html/configuration/

and the cgi scripts that are in that directory no longer get wrapped by
suexec.  Going to the scripts using
~mjfrazer/configuration/script.cgi works fine though.

Note that this could be a possible security issue if you want to give a user
an alias but keep the user from exec'ing programs under the httpd's uid/gid.
>How-To-Repeat:
Add an alias to a directory in a user's web space.
>Fix:
If an alias is to a directory outside of the docroot, suexec should wrap all
scripts.
>Release-Note:
>Audit-Trail:
>Unformatted:
 [In order for any reply to be added to the PR database, you need]
 [to include <apbugs@Apache.Org> in the Cc line and make sure the]
 [subject line starts with the report component and number, with ]
 [or without any 'Re:' prefixes (such as "general/1098:" or      ]
 ["Re: general/1098:").  If the subject doesn't match this       ]
 [pattern, your message will be misfiled and ignored.  The       ]
 ["apbugs" address is not added to the Cc line of messages from  ]
 [the database automatically because of the potential for mail   ]
 [loops.  If you do not include this Cc, your reply may be ig-   ]
 [nored unless you are responding to an explicit request from a  ]
 [developer.  Reply only with text; DO NOT SEND ATTACHMENTS!     ]