Received: (qmail 474 invoked by uid 2012); 18 Aug 1998 20:11:43 -0000 Message-Id: <19980818201143.473.qmail@hyperreal.org> Date: 18 Aug 1998 20:11:43 -0000 From: Erich Stuntebeck Reply-To: erichps@monmouth.com To: apbugs@hyperreal.org Subject: Apache allows execution of setuid cgi's without suexec installed. X-Send-Pr-Version: 3.2 >Number: 2868 >Category: suexec >Synopsis: Apache allows execution of setuid cgi's without suexec installed. >Confidential: no >Severity: serious >Priority: medium >Responsible: apache >State: closed >Class: sw-bug >Submitter-Id: apache >Arrival-Date: Tue Aug 18 13:20:01 PDT 1998 >Last-Modified: Tue Aug 18 14:30:01 PDT 1998 >Originator: erichps@monmouth.com >Organization: >Release: 1.3.1 >Environment: RedHat Linux 5.1, Kernel 2.0.35. gcc compiler version 2.7.2.3-11. >Description: I had trouble installing the suExec module, and once it compiled, it did not appear to be loading when the server loaded. I set the suid bit on the cgi, and the cgi ran as the owner. However, I was able to run cgi's as root. Also, I replaced my apache installation with the original, which was NOT configured to run suEXEC, and the cgi's continued to execute as the owner. >How-To-Repeat: chmod 4711 file.cgi; this sets the setuid bit, and apahce will execute the file as the owner. >Fix: >Audit-Trail: State-Changed-From-To: open-closed State-Changed-By: marc State-Changed-When: Tue Aug 18 13:25:26 PDT 1998 State-Changed-Why: Erm... yea, so? That is the way Unix has always worked. If a program is setuid then it executes by the user it is setuid to. That isn't a bug or a feature in Apache, but just the way things are on Unix. Note that this also allows others to excute it setuid to whatever user you setuid it to, which can lead to security issues if your CGI isn't secure. From: Marc Slemko To: Erich Stuntebeck Cc: apbugs@apache.org Subject: Re: suexec/2868: Apache allows execution of setuid cgi's without suexec installed. Date: Tue, 18 Aug 1998 14:26:45 -0700 (PDT) On Tue, 18 Aug 1998, Erich Stuntebeck wrote: > So you are saying that the setuid bit should not be set on files, and > that suExec will automatically run the cgi as the user it is owned by? Yes, subject to the constraints listed in the documentation. suexec has nothing to do with the setuid bit on files. > > > Synopsis: Apache allows execution of setuid cgi's without suexec > installed. > > State-Changed-From-To: open-closed > State-Changed-By: marc > State-Changed-When: Tue Aug 18 13:25:26 PDT 1998 > State-Changed-Why: > Erm... yea, so? > > That is the way Unix has always worked. If a program is > setuid then it executes by the user it is setuid to. That > isn't a bug or a feature in Apache, but just the way things > are on Unix. > > Note that this also allows others to excute it setuid > to whatever user you setuid it to, which can lead to > security issues if your CGI isn't secure. > >Unformatted: [In order for any reply to be added to the PR database, ] [you need to include in the Cc line ] [and leave the subject line UNCHANGED. This is not done] [automatically because of the potential for mail loops. ] [If you do not include this Cc, your reply may be ig- ] [nored unless you are responding to an explicit request ] [from a developer. ] [Reply only with text; DO NOT SEND ATTACHMENTS! ]