>Number: 1469 >Category: suexec >Synopsis: suexec allows intermediate directories with unsafe permissions >Confidential: no >Severity: serious >Priority: medium >Responsible: apache >State: open >Class: sw-bug >Submitter-Id: apache >Arrival-Date: Mon Nov 24 03:50:00 PST 1997 >Last-Modified: >Originator: [EMAIL PROTECTED] >Organization: apache >Release: 1.2.4 >Environment: Linux 2.0.30 >Description: If suexec is run from the command line in directory dir, with a target command of subdir/script.cgi, tests will be done on dir and on script.cgi, but not on subdir, which may therefore be owned by someone else, world-writable, etc.
It seems that suexec would always be called by Apache with working directory subdir in this case, so the security hole matters only when suexec is run from the command line, as far as I know. >How-To-Repeat: See above. >Fix: Some protection is given by installing suexec with ownership root/httpd (server running as httpd/httpd) and permissions 4710, not 4711 as suggested. I recommend changing this in the documentation anyway. Note that if any scripts are run without suexec (i.e. as httpd/httpd) then they will still be able to call suexec themselves. Along with this, therefore, it should be recommended that a <VirtualHost _default_> with User cgi and Group cgi (say) is always used with suexec. It would be even better to disallow '/' completely from the target command. (Patch available on request.) This relies on suexec being passed the relative pathname of the target command, which is what (at present) Apache does >Audit-Trail: >Unformatted: [In order for any reply to be added to the PR database, ] [you need to include <[EMAIL PROTECTED]> in the Cc line ] [and leave the subject line UNCHANGED. This is not done] [automatically because of the potential for mail loops. ]
