Received: (qmail 68596 invoked by uid 501); 26 Mar 2001 17:55:24 -0000 Message-Id: <20010326175524.68595.qmail@apache.org> Date: 26 Mar 2001 17:55:24 -0000 From: Mark Frazer Reply-To: mark@somanetworks.com To: submit@bugz.apache.org Subject: Alias prevents suexec from wrapping cgi's X-Send-Pr-Version: 3.110 >Number: 7466 >Category: suexec >Synopsis: Alias prevents suexec from wrapping cgi's >Confidential: no >Severity: serious >Priority: medium >Responsible: apache >State: closed >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: apache >Arrival-Date: Mon Mar 26 10:00:00 PST 2001 >Closed-Date: Mon Mar 26 16:02:02 PST 2001 >Last-Modified: Mon Mar 26 16:02:02 PST 2001 >Originator: mark@somanetworks.com >Release: 1.3.12 >Organization: >Environment: Linux jimmy.yyz.somanetworks.com 2.2.16-22 #1 Tue Aug 22 16:49:06 EDT 2000 i686 unknown RedHat 7.0, as distributed >Description: I add the following alias to my httpd.conf Alias /configuration/ /export/home/mjfrazer/public_html/configuration/ and the cgi scripts that are in that directory no longer get wrapped by suexec. Going to the scripts using ~mjfrazer/configuration/script.cgi works fine though. Note that this could be a possible security issue if you want to give a user an alias but keep the user from exec'ing programs under the httpd's uid/gid. >How-To-Repeat: Add an alias to a directory in a user's web space. >Fix: If an alias is to a directory outside of the docroot, suexec should wrap all scripts. >Release-Note: >Audit-Trail: State-Changed-From-To: open-closed State-Changed-By: slive State-Changed-When: Mon Mar 26 16:02:01 PST 2001 State-Changed-Why: Yes, this is a limitation in suexec. Suexec is designed to be simple and secure -- not flexible. If you are interested in more flexibility, you may wish to look into something like cgiwrap. Thanks for using Apache! >Unformatted: [In order for any reply to be added to the PR database, you need] [to include in the Cc line and make sure the] [subject line starts with the report component and number, with ] [or without any 'Re:' prefixes (such as "general/1098:" or ] ["Re: general/1098:"). If the subject doesn't match this ] [pattern, your message will be misfiled and ignored. The ] ["apbugs" address is not added to the Cc line of messages from ] [the database automatically because of the potential for mail ] [loops. If you do not include this Cc, your reply may be ig- ] [nored unless you are responding to an explicit request from a ] [developer. Reply only with text; DO NOT SEND ATTACHMENTS! ]