> On Feb 26, 2016, at 7:50 PM, [email protected] wrote: > > This is not a question on how to use suexec, that's fairly clear. The > strict, hardwired conditions its willing to suexec under are also spelled out > pretty clear. My question is the nature of these requirements -- why they're > the way they are. The user and group requirements specifically. > > suexec insists that the file being executed needs to be the same owner and > group as what the web server will be running as after suexec. Doesn't this > requirement make things *less* secure? You can't really protect a file > against its own owner overwriting it. The same requirement is on the folder, > leaving the web server two legal chmods away from allowing an exploit to > create, delete, and modify files inside the vhost at will.
Those conditions are hardly unique. The other major suexec-like script, cgiwrapd, also had the same set of conditions and requirements. First of all, the idea is that the admin "trusts" whatever users are allowed to use suexec. It's also understood that the risk associated is directly related to how well tied-down the user account itself is. Finally, it's to ensure that when running as 'foo:bar", I can only access files that are owned by 'foo:bar'. If I am 'foo:bar' and I am trying to run a file owned by 'kirk:trek' then something is hinky, and we don't want to allow it.
