Received: (qmail 94077 invoked by uid 501); 5 Oct 2000 15:46:21 -0000 Message-Id: <20001005154621.94076.qmail@locus.apache.org> Date: 5 Oct 2000 15:46:21 -0000 From: Jerrad Pierce Reply-To: belg4mit@mit.edu To: submit@bugz.apache.org Subject: suexec logic odd X-Send-Pr-Version: 3.110 >Number: 6629 >Category: suexec >Synopsis: suexec logic odd >Confidential: no >Severity: non-critical >Priority: medium >Responsible: apache >State: closed >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: apache >Arrival-Date: Thu Oct 05 08:50:00 PDT 2000 >Closed-Date: Thu Oct 05 17:46:11 PDT 2000 >Last-Modified: Thu Oct 05 17:46:11 PDT 2000 >Originator: belg4mit@mit.edu >Release: 1.3.9 >Organization: >Environment: RedHat 6.0 Commerce, Redhat 6.0 pgcc-2.95.2 1999102 Linux chlorate 2.2.5-15smp #1 SMP Mon Apr 19 22:43:28 EDT 1999 i686 unknown >Description: Given: User nobody Group Nobody ... User bob Group marley ScriptAlias /home/bobo/cgi-bin ... /home/bob/cgi-bin must be at least 705 (assuming nobody is not in marley, if so then 750) Suexec does not get invoked and the setuid/setgid is not run before the enetering the directory... It seems howver, that if the purpose of suexec is to make CGI act exactly as if the user were at the command line, it should setuid/setgid *before* descending into the directory... This way user's could have a more secure 700 mode for there cgi-bin (yes, it just prevent's reading... but o+rx still seems a bad requirement...) >How-To-Repeat: >Fix: setuid/setgid before chdir/execing the CGI (or determing that it's there even) >Release-Note: >Audit-Trail: State-Changed-From-To: open-closed State-Changed-By: slive State-Changed-When: Thu Oct 5 17:46:11 PDT 2000 State-Changed-Why: The idea behind suexec is to complete ALL the security checks BEFORE allowing the suid process to go ahead. That way, any error would result in no extra permissions being granted. For this reason, suexec must be able to access the file under its original permissions. Thanks for using Apache. >Unformatted: [In order for any reply to be added to the PR database, you need] [to include in the Cc line and make sure the] [subject line starts with the report component and number, with ] [or without any 'Re:' prefixes (such as "general/1098:" or ] ["Re: general/1098:"). If the subject doesn't match this ] [pattern, your message will be misfiled and ignored. The ] ["apbugs" address is not added to the Cc line of messages from ] [the database automatically because of the potential for mail ] [loops. If you do not include this Cc, your reply may be ig- ] [nored unless you are responding to an explicit request from a ] [developer. Reply only with text; DO NOT SEND ATTACHMENTS! ]