Received: (qmail 25103 invoked by uid 501); 6 Dec 2000 01:30:50 -0000 Message-Id: <20001206013050.25100.qmail@locus.apache.org> Date: 6 Dec 2000 01:30:50 -0000 From: Brian Nelson Reply-To: brinel@earthlink.net To: submit@bugz.apache.org Subject: suexec does not check cgi's from within the docroot (blind execution) X-Send-Pr-Version: 3.110 >Number: 6933 >Category: suexec >Synopsis: suexec does not check cgi's from within the docroot (blind execution) >Confidential: no >Severity: non-critical >Priority: medium >Responsible: apache >State: closed >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: apache >Arrival-Date: Tue Dec 05 17:40:02 PST 2000 >Closed-Date: Tue Dec 05 20:10:47 PST 2000 >Last-Modified: Wed Dec 6 08:10:04 PST 2000 >Originator: brinel@earthlink.net >Release: 1.3.12 >Organization: >Environment: Solaris 8 on UltraSparc gcc 2.95.2 >Description: Cgi programs within the main docroot are not getting run through suexec. programs called from user's directories go through suexec just fine. programs attampted to run who are outside public_html and the main docroot, suexec makes an error saying that the command is outside the docroot. Programs called from the main docroot just get executed as if suexec was disabled. It appears that suexec doesnt even get called in this condition. >How-To-Repeat: compile out of box w/suexec. add ExecCGI to docroot and add .cgi handeler any .cgi progs run w/o suexec >Fix: Unless this is the correct behaviour.. I dont see any reason why it should be skipping over the docroot stuff. BTW the doc page fo suexec is _very_ scarce as far as behavior (maybe its supposed to do this?!?) and examples and error explinations. That should be fixed >Release-Note: >Audit-Trail: State-Changed-From-To: open-closed State-Changed-By: slive State-Changed-When: Tue Dec 5 20:10:46 PST 2000 State-Changed-Why: Yes, the suexec docs are a little sketchy. However, what you are asking for does not make any sense. If the request is for the main server, not under any vhost, then what user and group would suexec change to? (That is a rhetorical question ;-) If you to use suexec on the main server, you should configure a vhost to catch requests for the main server and place the appropriate User and Group directive in the vhost. Thanks for using Apache. From: Brian Nelson To: slive@apache.org Cc: apbugs@apache.org Subject: Re: suexec/6933: suexec does not check cgi's from within the docroot (blind execution) Date: Wed, 06 Dec 2000 09:59:20 -0500 slive@apache.org wrote: > > [In order for any reply to be added to the PR database, you need] > [to include in the Cc line and make sure the] > [subject line starts with the report component and number, with ] > [or without any 'Re:' prefixes (such as "general/1098:" or ] > ["Re: general/1098:"). If the subject doesn't match this ] > [pattern, your message will be misfiled and ignored. The ] > ["apbugs" address is not added to the Cc line of messages from ] > [the database automatically because of the potential for mail ] > [loops. If you do not include this Cc, your reply may be ig- ] > [nored unless you are responding to an explicit request from a ] > [developer. Reply only with text; DO NOT SEND ATTACHMENTS! ] > > Synopsis: suexec does not check cgi's from within the docroot (blind execution) > > State-Changed-From-To: open-closed > State-Changed-By: slive > State-Changed-When: Tue Dec 5 20:10:46 PST 2000 > State-Changed-Why: > > Yes, the suexec docs are a little sketchy. However, > what you are asking for does not make any sense. > If the request is for the main server, not under > any vhost, then what user and group would suexec > change to? (That is a rhetorical question ;-) > > If you to use suexec on the main server, you should > configure a vhost to catch requests for the main > server and place the appropriate User and Group > directive in the vhost. > > Thanks for using Apache. It makes sense to me *grin*. In my senerio, I am the admin for the server only, not content. The server runs as websrv. There are several vhosts, as well as many userdir pages. But, there is still one 'main' page for the site (docroot), which is maintained by other various random persons (not me). The main docroot is owned by webadmin. (therfore someone else than the server is running). As the admin, I want the security feature of suexec for _all_ cgi, as i am very afraid of whatever crazy ideas the users may come up with in their code. The docroot would be included since it is maintained by others. What is can do is probablly just convert the docroot into a vhost like you said, and it should work find. In theory though, even if the docroot and httpd were owned by the same person, it would be nice to have suexec do the sanity checks against the cgi, even if it dosnt end up suing to anyone different. Just a thought :) >Unformatted: [In order for any reply to be added to the PR database, you need] [to include in the Cc line and make sure the] [subject line starts with the report component and number, with ] [or without any 'Re:' prefixes (such as "general/1098:" or ] ["Re: general/1098:"). If the subject doesn't match this ] [pattern, your message will be misfiled and ignored. The ] ["apbugs" address is not added to the Cc line of messages from ] [the database automatically because of the potential for mail ] [loops. If you do not include this Cc, your reply may be ig- ] [nored unless you are responding to an explicit request from a ] [developer. Reply only with text; DO NOT SEND ATTACHMENTS! ]