[users@httpd] suexec improvement suggestion

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hello All,

Here is a brief of the problem:
---
http://issues.apache.org/bugzilla/show_bug.cgi?id=34863

There  is  a real problem if one needs to set for a certain CGI-script
permissions as REMOTE_USER has on the system.
This  happens, for example, if we need to organize web access to a CVS
repositary  that  stores  projects  of  several groups of users and we
don't want a user of project1 could access files from project2.

I'd suggest to add a configuration keyword for VirtualHost section (or
the  whole  server) that'd switch suexec mode from the original to the
'REMOTE_USER' one.
---

However,  Apache developers did not agree with me and suggested to use
a  separate  tool.  Unfortunately,  the tool I found (securecgi) works
very  bad  with  cvsweb.pl  script  and  causes memory leaks in Apache
(2.0.x) from time to time, so I had to limit MaxRequestsPerChild to 1.

I  accumulated  pros  (from  my  point  of view) and cons (from Apache
developers  point of view) for implementing this feature inside Apache
rather than using a separate tool. Here they are:

Pros:
1. Ability to give access to user files on server via the web
interface (easy work with CVS, etc)
2. No separate buggy tools - feature supported by Apache and bugs are
fixed in short time.
3. No problem with security if it proper tuned and SSL is used (see
cons #1)

Cons:
1.  By  default  it  opens  a  security  hole (running "as" remote_user
implies  authenticating  as  a  system  user;  combining that with the
insecurity  of  HTTP  basic  authentication allows passwords give away)
2. People might use it without SSL and the headlines will be about big
security holes in Apache.

So, I ask you, people, to tell what do you think about this feature.
Does anybody (besides me) need it? What other cons do you see?
I hope if there would be many people needing this feature, Apache
developers insert it into their to-do list.

Thank you.

-- 
Best regards,
 Alexander


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
   "   from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux