On Friday 01 April 2016 14:03:12, [email protected] wrote: > On 2016-03-30 16:35, Jacob Champion wrote: > >> Sorry, but that is not a good approach. You must assume that a > >> local attacker calls suexec directly and passes arguments of his > >> liking. That is the attack vector that suexec's rather annoying > >> restrictions try to avoid. > > > > Checking my own understanding... so if an attacker is able to make > > arbitrary calls to suexec as the httpd user (which requires > > another > > vulnerability to begin with) then with this patch, they are able > > to > > execute any scripts in the DocumentRoot as any user. Whereas > > before they > > would have been limited to running scripts only as their owners. > > Is that correct?
Yes. Without the patch, a user would have to "opt-in" to using suexec by putting a executable file in one of the paths allowed by suexec. With the patch, suexec would allow the apache user to become every other user, just by being installed. Of course people may modify suexec to suit their use cases and the situation on their servers. But for a suexec variant that is shipped by apache by default, it is important that it does not allow local privileg escalation, not in any situation. So imagine a multi-user server where users are allowed to execute cgi/php scripts as httpd run user in their ~/public_html folder. This is not a very smart setup, but I am 100% sure that such setups exist. If suexec allowed to suid to a user different than the owner of a script, on that server it would allow any local user to execute any script as any other user. Even if suexec checked that the script is owned by a special "trusted" user, it would still allow to execute that script as any user, without any "opt-in" necessary by the target user. > Yes, it's a plausible exploit. > > > A third approach from the original IRC discussion was to simply > > compile the "trusted" user/group directly into suexec, as another > > configured option. > You thought of it first... That's probably what I'll try next. As outlined above, I don't think this would be appropriate to include in the suexec shipped with apache httpd. BTW, using the immutable flag (which can only be done by root) on the scripts is a work-around for your problem that does not involve modifying suexec.
