On 5/20/05, Alexander Kolesnik <apache-list1@xxxxxxxxxxx> wrote: > >> Could you please tell what security implications do you mean? And > >> what's the difference between original suexec's security and the one I > >> suggested? > > > I can't say that I'm a real expert here either, but one important > > issue is that you would need to remove an suexec security check: > > suexec runs files only under the userid of their owner. Removing > > this check wouldn't automatically lead to a problem -- you'd still > > need to compromise the httpd user -- buy it gets you one step closer. > > I don't see problems here if suexec will extend this restriction to > any non-root user (or any non-special user, like bin, etc). If you see > them, please, tell me. Let's put it this way: If you compromise the httpd user, you can then run any httpd/suexec-accessible program under any userid (other than root). That is really only a half-step away from root privileges. (One thing people often fail to consider is that suexec is an ordinary binary that can be run from the command line, not only from within httpd. Many of the security checks are designed to prevent it from being abused from the command line.) > As far as I understand, this improvemnt will not affect suexec's > simplicity and security. If you made it a configurable option, it would certainly make suexec more complex (as would any configuration). I think it should be evident that it also removes a major security check. Joshua. --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|