>Number: 1346 >Category: suexec >Synopsis: questionable user promotion >Confidential: no >Severity: serious >Priority: medium >Responsible: apache >State: open >Class: sw-bug >Submitter-Id: apache >Arrival-Date: Sat Nov 1 05:30:00 PST 1997 >Last-Modified: >Originator: [EMAIL PROTECTED] >Organization: apache >Release: ALL >Environment: all UNIX flavours >Description: When executing CGIs/SSIs, there is a somewhat insecure method of user promotion.
(a) CGI's exhibit user promotion (b) SSI's/scripts may not. (c) the permissions are determined by file location. >How-To-Repeat: execute a binary CGI, a shell script CGI, and an SSI. >Fix: <SUEXEC FIX> The user promotion should always go to the OWNER of the file. Or at least this should be a configurable option. There could be a configurable exception for files owned by root. <APACHE FIX> The biggest problem though is that any executed file should be executed via suexec if it is enabled, there should be no exceptions to that rule. <APACHE FIX> As a sidenote, if the server is not executing as root, it may not be able to setrlimits correctly, consequently files not executed through suexec may run out of control. %0 >Audit-Trail: >Unformatted:
