mod_cgid socket permissions

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hello,
I am running an apache 2.4 server (2.4.18-2ubuntu3.1) on Ubuntu 16.04 with mod_userdir, mod_suexec_custom, mod_cgid and php5.6-cgi.
Users can place arbitrary documents and scripts in their userdirs and are not considered trusted, so should not be able to interfere with anything except their own scripts and should not be able to do anything other than have apache execute their scripts with their 

https://httpd.apache.org/docs/2.4/mod/mod_cgid.html#scriptsock says:

The socket will be opened using the permissions of the user who starts Apache (usually root). To maintain the security of communications with CGI scripts, it is important that no other user has permission to write in the directory where the socket is located.
To make CGID work with suexec+userdir, I've had to change the socket to make it group-owned by www-data and with g+w set: 


me@box:~$ ls -al /var/run/apache2/
total 4
drwxr-xr-x  2 root     root       80 Oct 20 09:09 .
drwxr-xr-x 25 root     root     1000 Oct 20 10:38 ..
-rw-r--r--  1 root     root        5 Oct 20 09:09 apache2.pid
srwx-w----  1 www-data www-data    0 Oct 20 09:09 cgisock.9822
I hacked up the init script to perform this, by adding the following to apache_wait_start: 


for sockfile in /var/run/apache2/cgisock.*; do
        if [ -S "$sockfile" ]; then
                chown www-data:www-data /var/run/apache2/cgisock.*
                chmod g+w /var/run/apache2/cgisock.*
                break
        fi
done


This works because suexec apparently retains the www-data group membership.
(Here's the output of a php script that echos posix_getuid() and runs system('id -a'): 


31524
uid=31524(erlacher) gid=20909(tumuser) groups=20909(tumuser),0(root),4(adm),33(www-data),108(syslog),5177(sambarbg),9044(rbg),14777(ljfs),16693(desktop)
Ignore the "root" group, that's part of my groups. Of course it would be nice to have suexec drop groups, but that's not a feature that exists... 
)
Now, getting back to the statement in the apache docs: Is this a security violation / vulnerability? What can an attacker do with that socket other than execute arbitrary programs on the machine using their own permissions (plus www-data group)? They can already do that by virtue of being able to place arbitrary cgi scripts in their userdirs. 

Thank you for any thoughts or pointers!

Best regards,
Luke

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux