Since there have been some changes to the affected source files and multiple problems presented themselves in unixd.c, my patches to make suexec + [ mod_include | mod_userdir | mod_cgid ] work were getting stale. So I've rediffed them against CVS.
I also had a good look through all of the suexec bugs, I'm using the patches on a production system now with over 2000 shell users (redbrick.dcu.ie) and it's proving stable. Anyway, I think they fix these : PR 7810 - suexec + mod_userdir + mod_cgid needed fixing (also it's currently insecure by default, this really needs to be fixed) PR 7791 - malformed arguments array passed to suexec PR 8291 - mod_include + suexec "exec cmd" not working PR 9038 - really a duplicate of 7810 Some notes: 1: http://redbrick.dcu.ie/~colmmacc/patches/mod_cgid.patch 2: http://redbrick.dcu.ie/~colmmacc/patches/unixd.patch 3: http://redbrick.dcu.ie/~colmmacc/patches/mod_include.patch patch 1 (mod_cgid.c) fixes 7810/9039/mod_cgid, it just works. patch 2 (unixd.c) fixes 7791 and 8291 patch 3 (mod_include.c) makes patch 2 secure. (otherwise include file="some.cgi" runs as the server user) Other Patches: These are against 2.0.36, but should apply to CVS. Whilst trawling code for patch 2 I noticed that in srclib/apr/threadproc/unix/proc.c shell commands get executed as: shell -c argv0 argv1 argv2 I believe it should be: shell -c "argv0 argv1 .." I initially fixed the suexec problem this way ... because "shell -c suexec user group ... " would never work (at least with my /bin/sh), but fixing it such that "shell -c 'suexec user group ... '" leads to simple exploits like : <!--#exec cmd="somecmd ; evilcmd"--> being trivial. I used the code in patch 4 (proc.c) to fix this for me though (for the general non-suexec case) ... it might be desireable anyway , just to have exec cmd work in general. 4: http://redbrick.dcu.ie/~colmmacc/patches/proc.patch And finally , a whole bundle of patches related to the comment in the STATUS file: * PR#1120: suexec suexec does not parse arguments to #exec cmd I decided to make this work, for my own amusement. The result is rather convoluted though , but if anyone is interested in resolving this issue, it's there. Basically just define a trusted system shell at buildtime and have suexec allow it be used .. and have unixd.c detect shellcmd's and warp what suexec gets sent on that basis. It's at: http://redbrick.dcu.ie/~colmmacc/patches/suexec-shell.patch All of the patches are proving useful to us at least, but I would say that a patch to mod_cgid should be a matter of priority for the next release of apache, as it is currently a security hole. -- [EMAIL PROTECTED] PubKey: [EMAIL PROTECTED] Web: http://devnull.redbrick.dcu.ie/