Received: (qmail 181 invoked by uid 2012); 26 Jul 1999 03:21:25 -0000 Message-Id: <19990726032125.180.qmail@hyperreal.org> Date: 26 Jul 1999 03:21:25 -0000 From: Elliott Mitchell Reply-To: ehem@cat.pdx.edu To: apbugs@hyperreal.org Subject: Directory Ownership X-Send-Pr-Version: 3.2 >Number: 4765 >Category: suexec >Synopsis: Directory Ownership >Confidential: no >Severity: non-critical >Priority: medium >Responsible: apache >State: closed >Quarter: >Keywords: >Date-Required: >Class: doc-bug >Submitter-Id: apache >Arrival-Date: Sun Jul 25 20:30:01 PDT 1999 >Closed-Date: Fri Jan 07 14:39:03 PST 2000 >Last-Modified: Fri Jan 07 14:39:03 PST 2000 >Originator: ehem@cat.pdx.edu >Release: 1.3.1 >Organization: >Environment: Solaris 2.5.1 (SunOS 5.5.1) Sparc, GCC 2.7.2.1 >Description: According to the documentation for suEXEC, the only test on the directory where CGIs are located is "Is the directory NOT writable by anyone else?". By testing it is pretty clear the group on the directory is also checked. >How-To-Repeat: Change the group for a user's CGI-bin directory to any group other than the owner's default. >Fix: Either fix the documentation (http://www.apache.org/docs/suexec.html) or remove this test from suEXEC. IMHO I think the test should be removed since checking the directory's group doesn't appear to improve security in any way. In fact makes it impossible to have a user's WWW directory owned by a web group, restrict access to Apache only, and then have the actual CGI programs owned by the user's group (to meet that requirement of suEXEC). >Release-Note: >Audit-Trail: State-Changed-From-To: open-closed State-Changed-By: coar State-Changed-When: Fri Jan 7 14:39:03 PST 2000 State-Changed-Why: The documentation was updated a while ago. Please upgrade to Apache 1.3.9. Class-Changed-From-To: sw-bug-doc-bug Class-Changed-By: coar Class-Changed-When: Fri Jan 7 14:39:03 PST 2000 >Unformatted: [In order for any reply to be added to the PR database, you need] [to include in the Cc line and make sure the] [subject line starts with the report component and number, with ] [or without any 'Re:' prefixes (such as "general/1098:" or ] ["Re: general/1098:"). If the subject doesn't match this ] [pattern, your message will be misfiled and ignored. The ] ["apbugs" address is not added to the Cc line of messages from ] [the database automatically because of the potential for mail ] [loops. If you do not include this Cc, your reply may be ig- ] [nored unless you are responding to an explicit request from a ] [developer. Reply only with text; DO NOT SEND ATTACHMENTS! ]