Re: SuexecUserGroup inside Directory context

Wed, 10 Sep 2014 15:28:03 -0700

I've created a patch for it, as I didn't have my question answered :) From my point of view it's still secure, as it doesn't allow to set SuexecUserGroup in .htaccess. I tested it and had no problems with it. Please include it into the trunk if you think it's okay to add it. 

=========================
--- httpd-2.4.10/modules/generators/mod_suexec.c.old 2011-12-05 01:08:01.000000000 +0100 +++ httpd-2.4.10/modules/generators/mod_suexec.c 2014-09-11 00:16:21.444000009 +0200 
@@ -59,7 +59,7 @@
                                    const char *uid, const char *gid)
 {
     suexec_config_t *cfg = (suexec_config_t *) mconfig;
-    const char *err = ap_check_cmd_context(cmd, NOT_IN_DIR_LOC_FILE);
+ const char *err = ap_check_cmd_context(cmd, NOT_IN_LOCATION|NOT_IN_FILES); 

     if (err != NULL) {
         return err;
@@ -116,7 +116,7 @@
 {
/* XXX - Another important reason not to allow this in .htaccess is that 
      * the ap_[ug]name2id() is not thread-safe */
-    AP_INIT_TAKE2("SuexecUserGroup", set_suexec_ugid, NULL, RSRC_CONF,
+ AP_INIT_TAKE2("SuexecUserGroup", set_suexec_ugid, NULL, RSRC_CONF|ACCESS_CONF, 
       "User and group for spawned processes"),
     { NULL }
 };

=========================

Best regards,
Martynas Bendorius

On 8/1/14 1:36 PM, Martynas Bendorius wrote:

Just bringing the email up, it’s likely that mod_suexec developers missed the 
email. Thank you! :)

—
Best Regards,
Martynas Bendorius




On Jul 18, 2014, at 12:53 AM, Martynas Bendorius <marty...@martynas.it> wrote:


Hello,

The following question hasn’t been answered in the dev list, so I’m trying to 
ask it again here: 
http://mail-archives.apache.org/mod_mbox/httpd-dev/201205.mbox/%3cca+-xxsfms0yrmzzitl0x-sgvgzbvxfzvrt57hh163dabrz_...@mail.gmail.com%3E
 :)

Would it be secure to use SuexecUserGroup inside Directory context? And is 
there any reason why that is still not available? From our point of view, that 
would provide more security, however, there might have been other 
technical/security reasons why it is not available/supported yet. I’ve found 
requests for that in 2005’s 
https://issues.apache.org/bugzilla/show_bug.cgi?id=37564 and a patch written in 
2003 https://www.mail-archive.com/dev@httpd.apache.org/msg17561.html.

Thank you for the answers!

—
Best Regards,
Martynas Bendorius

Reply via email to