Re: [users@httpd] SuExec and symlinks

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 9/19/05, Oscar Haeger <Oscar.Haeger@xxxxxxxxxxxxx> wrote:
> What I'd like to know is if SuExec somehow prevents me from running scripts via
> symlinks.
> I have a webserver with SuExec installed and I'd like to be able to run scripts
> that resides in other peoples cgi-bin directories. I've tested this but haven't
> been able to get it to work.

Well, yeah.  Allowing anything symlinked to get executed by suexec
would violate the basic security model.  I agree that neither the
error message nor the docs are very explicit about this, but I think
the assumption is that security-minded people will know that a program
like suexec must forbid symlinks to do its job.

If you know a little c, then reading the suexec.c source code makes
things clear:
    /*
     * Error out if we cannot stat the program.
     */
    if (((lstat(cmd, &prg_info)) != 0) || (S_ISLNK(prg_info.st_mode))) {
        log_err("cannot stat program: (%s)\n", cmd);
        exit(117);
    }

Joshua.

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
   "   from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx



[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux