For someone who is going to review the patch, I am adding more
information of why is the patch needed. Patch includes only a few minor
changes to it, that would help shared web hosting to adopt FastCGI for
some critical parts like global aliases. Currently it's impossible to
switch user for aliases (and with the patch it's easy to do).
That's needed for situations like:
Alias /roundcube "/var/www/html/roundcube-1.0.2/"
If application is placed under /var/www/html, it has a different user
set when accessing the alias from user's virtualhost, so SuexecUserGroup
needs to be specified globally like:
<Directory /var/www/html>
SuexecUserGroup webapps webapps
</Directory>
That way when accessing anydomain.com/roundcube, it would be executed
under "webapps" user permissions. Without the patch, due to
SuexecUserGroup suexec configuration in VirtualHost context for the
customer (shared hosting account), it's executed under customer's
permissions (and most often the client doesn't have enough of
permissions to read sensitive data like MySQL passwords and so on).
From my point of view it adds more security and flexibility when using
PHP-FastCGI under shared hosting environment.
Thank you!
Best regards,
Martynas Bendorius
On 9/11/14 1:26 AM, Martynas Bendorius wrote:
I've created a patch for it, as I didn't have my question answered :)
From my point of view it's still secure, as it doesn't allow to set
SuexecUserGroup in .htaccess. I tested it and had no problems with it.
Please include it into the trunk if you think it's okay to add it.
=========================
--- httpd-2.4.10/modules/generators/mod_suexec.c.old 2011-12-05
01:08:01.000000000 +0100
+++ httpd-2.4.10/modules/generators/mod_suexec.c 2014-09-11
00:16:21.444000009 +0200
@@ -59,7 +59,7 @@
const char *uid, const char *gid)
{
suexec_config_t *cfg = (suexec_config_t *) mconfig;
- const char *err = ap_check_cmd_context(cmd, NOT_IN_DIR_LOC_FILE);
+ const char *err = ap_check_cmd_context(cmd,
NOT_IN_LOCATION|NOT_IN_FILES);
if (err != NULL) {
return err;
@@ -116,7 +116,7 @@
{
/* XXX - Another important reason not to allow this in .htaccess
is that
* the ap_[ug]name2id() is not thread-safe */
- AP_INIT_TAKE2("SuexecUserGroup", set_suexec_ugid, NULL, RSRC_CONF,
+ AP_INIT_TAKE2("SuexecUserGroup", set_suexec_ugid, NULL,
RSRC_CONF|ACCESS_CONF,
"User and group for spawned processes"),
{ NULL }
};
=========================
Best regards,
Martynas Bendorius
On 8/1/14 1:36 PM, Martynas Bendorius wrote:
Just bringing the email up, it’s likely that mod_suexec developers
missed the email. Thank you! :)
—
Best Regards,
Martynas Bendorius
On Jul 18, 2014, at 12:53 AM, Martynas Bendorius
<[email protected]> wrote:
Hello,
The following question hasn’t been answered in the dev list, so I’m
trying to ask it again here:
http://mail-archives.apache.org/mod_mbox/httpd-dev/201205.mbox/%3cca+-xxsfms0yrmzzitl0x-sgvgzbvxfzvrt57hh163dabrz_...@mail.gmail.com%3E
:)
Would it be secure to use SuexecUserGroup inside Directory context?
And is there any reason why that is still not available? From our
point of view, that would provide more security, however, there might
have been other technical/security reasons why it is not
available/supported yet. I’ve found requests for that in 2005’s
https://issues.apache.org/bugzilla/show_bug.cgi?id=37564 and a patch
written in 2003
https://www.mail-archive.com/[email protected]/msg17561.html.
Thank you for the answers!
—
Best Regards,
Martynas Bendorius
--- httpd-2.4.10/modules/generators/mod_suexec.c.old 2011-12-05
01:08:01.000000000 +0100
+++ httpd-2.4.10/modules/generators/mod_suexec.c 2014-09-11
00:16:21.444000009 +0200
@@ -59,7 +59,7 @@
const char *uid, const char *gid)
{
suexec_config_t *cfg = (suexec_config_t *) mconfig;
- const char *err = ap_check_cmd_context(cmd, NOT_IN_DIR_LOC_FILE);
+ const char *err = ap_check_cmd_context(cmd, NOT_IN_LOCATION|NOT_IN_FILES);
if (err != NULL) {
return err;
@@ -116,7 +116,7 @@
{
/* XXX - Another important reason not to allow this in .htaccess is that
* the ap_[ug]name2id() is not thread-safe */
- AP_INIT_TAKE2("SuexecUserGroup", set_suexec_ugid, NULL, RSRC_CONF,
+ AP_INIT_TAKE2("SuexecUserGroup", set_suexec_ugid, NULL,
RSRC_CONF|ACCESS_CONF,
"User and group for spawned processes"),
{ NULL }
};
