https://bz.apache.org/bugzilla/show_bug.cgi?id=69356
--- Comment #2 from Jeffrey Bencteux <jeffbenct...@gmail.com> ---
Indeed the above code could be correct for restoring privileges. However I
found the instance of that issue where privileges are dropped in the same file:
173 static int privileges_req(request_rec *r)
174 {
175 /* secure mode: fork a process to handle the request */
...
251 /* OK, now drop privileges. */
252
253 /* cleanup should happen even if something fails part-way through
here */
254 apr_pool_cleanup_register(r->pool, r, privileges_end_req,
255 apr_pool_cleanup_null);
256 /* set user and group if configured */
257 if (cfg->uid || cfg->gid) {
258 if (setppriv(PRIV_ON, PRIV_EFFECTIVE, priv_setid) == -1) {
259 ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(02144)
260 "No privilege to set user/group");
261 }
262 /* if we should be able to set these but can't, it could be
263 * a serious security issue. Bail out rather than risk it!
264 */
265 if (cfg->uid && (setuid(cfg->uid) == -1)) {
266 ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(02145)
267 "Error setting userid");
268 return HTTP_INTERNAL_SERVER_ERROR;
269 }
270 if (cfg->gid && (setgid(cfg->gid) == -1)) {
271 ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(02146)
272 "Error setting group");
273 return HTTP_INTERNAL_SERVER_ERROR;
274 }
275 }
I believe this code is used to drop privileges in child process when
"PrivilegesMode SECURE" is used.
An attacker controlling code executed in the child process can do a subsequent
call to setgid() and regain privileges, making the SECURE mode ineffective.
I am attaching a new version of the patch to fix that section of the code.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscr...@httpd.apache.org
For additional commands, e-mail: bugs-h...@httpd.apache.org
