Re: Re[4]: [users@httpd] suexec improvement suggestion

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 5/20/05, Alexander Kolesnik <apache-list1@xxxxxxxxxxx> wrote:
> >> Could  you  please  tell  what  security implications do you mean? And
> >> what's the difference between original suexec's security and the one I
> >> suggested?
> 
> > I can't say that I'm a real expert here either, but one important
> > issue is that you would need to remove an suexec security check:
> > suexec runs files only under the userid of their owner.    Removing
> > this check wouldn't automatically lead to a problem -- you'd still
> > need to compromise the httpd user -- buy it gets you one step closer.
> 
> I  don't  see  problems here if suexec will extend this restriction to
> any non-root user (or any non-special user, like bin, etc). If you see
> them, please, tell me.

Let's put it this way: If you compromise the httpd user, you can then
run any httpd/suexec-accessible program under any userid (other than
root).  That is really only a half-step away from root privileges.

(One thing people often fail to consider is that suexec is an ordinary
binary that can be run from the command line, not only from within
httpd.  Many of the security checks are designed to prevent it from
being abused from the command line.)

> As far as I understand, this improvemnt will not affect suexec's
> simplicity and security.

If you made it a configurable option, it would certainly make suexec
more complex (as would any configuration).  I think it should be
evident that it also removes a major security check.

Joshua.

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
   "   from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx



[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux