On 2016-03-30 14:49, Stefan Fritsch wrote:
On Saturday 19 March 2016 11:09:40, [email protected] wrote:
Since its been a while since this issue was mentioned, this patch
allows Apache to suexec files by a different (but still restricted
by UID) owner, to avoid the security issue where apache forces you
to suexec to files it has full chmod access to.
-------- Original Message --------
Subject: suexec different-owner patch
Criticisms, please?
You are doing the configuration parsing in httpd, and then pass the
allowed uid/group to suexec as command line arguments.
Sorry, but that is not a good approach. You must assume that a local
attacker calls suexec directly and passes arguments of his liking.
That is the attack vector that suexec's rather annoying restrictions
try to avoid.
I begin to see. Instead of a situation that can't be exploited
without changing a file's ownership, it's a situation which can be
exploited by poking it until the right values are fed to it. Not good.
So the config file parsing would have to be done inside suexec, with
the config file path being compiled into the suexec utility. Of
course, this would cause some slowdown because suexec would need to
parse its config file on every request.
My interest in suexec was for keeping this info inside the apache
vhost config, instead of farming it out external things which
aren't organized this way.
How about a hardcoded owner which is different from what's being
setuid to? That would prevent someone exploiting it, but still
insulate the files from being chmod-ed.
