> On Feb 29, 2016, at 11:22 AM, [email protected] wrote: > > I understand the point of not allowing apache to suexec any > arbitrary file, and matching user:group makes sense to an extent. > But using user:group as blind labels ignores what these permissions > really mean to the kernel.
No, it's meant to work *with* file-level permissions. > > Any running program has access to modify any files and folders > belonging to its user by definition. If you chmod that away, > it can chmod them right back. This is very difficult to prevent > without resorting to read-only filesystems, immutable bits, or > ACL's. This is why most executables -- including suexec itself! > -- aren't owned by the users who run them. > > The ability to name a specific required owner, DIFFERENT from > what's being suexec-ed to, would close this security hole. I still don't understand what your actual concern is, nor the attack vector that you are trying to fix. Can you provide more detail, being as specific as possible. Thx.
