Since there have been some changes to the affected source files
and multiple problems presented themselves in unixd.c, my patches
to make suexec + [ mod_include | mod_userdir | mod_cgid ] work
were getting stale. So I've rediffed them against CVS.
I also had a good look through all of the suexec bugs, I'm using
the patches on a production system now with over 2000 shell users
(redbrick.dcu.ie) and it's proving stable.
Anyway, I think they fix these :
PR 7810 - suexec + mod_userdir + mod_cgid needed fixing (also
it's currently insecure by default, this really needs
to be fixed)
PR 7791 - malformed arguments array passed to suexec
PR 8291 - mod_include + suexec "exec cmd" not working
PR 9038 - really a duplicate of 7810
Some notes:
1: http://redbrick.dcu.ie/~colmmacc/patches/mod_cgid.patch
2: http://redbrick.dcu.ie/~colmmacc/patches/unixd.patch
3: http://redbrick.dcu.ie/~colmmacc/patches/mod_include.patch
patch 1 (mod_cgid.c) fixes 7810/9039/mod_cgid, it just works.
patch 2 (unixd.c) fixes 7791 and 8291
patch 3 (mod_include.c) makes patch 2 secure. (otherwise include
file="some.cgi" runs as the server user)
Other Patches:
These are against 2.0.36, but should apply to CVS.
Whilst trawling code for patch 2 I noticed that in
srclib/apr/threadproc/unix/proc.c shell commands get executed
as:
shell -c argv0 argv1 argv2
I believe it should be:
shell -c "argv0 argv1 .."
I initially fixed the suexec problem this way ... because "shell -c
suexec user group ... " would never work (at least with my /bin/sh),
but fixing it such that "shell -c 'suexec user group ... '" leads to
simple exploits like :
<!--#exec cmd="somecmd ; evilcmd"-->
being trivial. I used the code in patch 4 (proc.c) to fix this for
me though (for the general non-suexec case) ... it might be desireable
anyway , just to have exec cmd work in general.
4: http://redbrick.dcu.ie/~colmmacc/patches/proc.patch
And finally , a whole bundle of patches related to the comment in the
STATUS file:
* PR#1120: suexec
suexec does not parse arguments to #exec cmd
I decided to make this work, for my own amusement. The result is rather
convoluted though , but if anyone is interested in resolving this issue,
it's there. Basically just define a trusted system shell at buildtime
and have suexec allow it be used .. and have unixd.c detect shellcmd's
and warp what suexec gets sent on that basis. It's at:
http://redbrick.dcu.ie/~colmmacc/patches/suexec-shell.patch
All of the patches are proving useful to us at least, but I would
say that a patch to mod_cgid should be a matter of priority for
the next release of apache, as it is currently a security hole.
--
[EMAIL PROTECTED] PubKey: [EMAIL PROTECTED]
Web: http://devnull.redbrick.dcu.ie/
