Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: Apache: Users

SuEXEC question

  

 
Apache users RSS feed   Index | Next | Previous | View Threaded


pd at pauldemarco

Mar 14, 2004, 1:35 PM

Post #1 of 7 (583 views)
Permalink
SuEXEC question
Why does suexec not launch the users shell after changing effective user and
group ids to that user? I ask because I have all users jailed, but when the
web-server launches a CGI it is under the users account, but not jailed.



I realize suexec would need a common way of passing the CGI path and name
into the shell, and each is a little different. Related, but different, why
not chroot to the users home directory?



Are there security or implementation issues related to either of these?
patches that accomplish either? Thank you.



--Paul DeMarco


nick at webthing

Mar 14, 2004, 2:43 PM

Post #2 of 7 (557 views)
Permalink
Re: SuEXEC question [In reply to]
On Sun, 14 Mar 2004, Paul DeMarco wrote:

> Are there security or implementation issues related to either of these?

How is CGI going to run chroot?

CGI will be seriously crippled without /bin:/usr/bin:/usr/local/bin
in PATH and /lib:/usr/lib:/usr/local/lib in LD_LIBRARY_PATH.
Are you planning to replicate those in the jail?

Once you've done that, you still need to hack mod_cgi to translate
those CGI environment variables that involve system paths.

IOW, I think you're looking at a distinctly non-trivial project.

--
Nick Kew

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe [at] httpd
" from the digest: users-digest-unsubscribe [at] httpd
For additional commands, e-mail: users-help [at] httpd


pd at pauldemarco

Mar 14, 2004, 2:59 PM

Post #3 of 7 (564 views)
Permalink
RE: SuEXEC question [In reply to]
Yes critical devices, binaries, and libraries have all been replicated (hard
linked) into the jails.

Theres a mini system in each home, and has everything required to operate.
This isn't right for all setups, but I think an option during the build of
suexec would be useful.

By chrooting to their home directory, your limiting what the cgi can see.
I'm attempting to get around the problem with sites requiring global read,
because apache runs as nobody.

I don't believe mod_cgi matters, doesn't that launch suexec? And then suexec
takes care of launching the cgi. It could simply strip off the starts of
paths that match the home directory.

I welcome the discussion, I'm here to determine the feasibility, past
thoughts on why it may not have been done, and any implications that are
known as much as anything.

If its deemed possible without compromising security, then I'll make the
necessary patch.


> -----Original Message-----
> From: Nick Kew [mailto:nick [at] webthing]
> Sent: Sunday, March 14, 2004 4:44 PM
> To: users [at] httpd
> Subject: Re: [users [at] http] SuEXEC question
>
> On Sun, 14 Mar 2004, Paul DeMarco wrote:
>
> > Are there security or implementation issues related to either of these?
>
> How is CGI going to run chroot?
>
> CGI will be seriously crippled without /bin:/usr/bin:/usr/local/bin
> in PATH and /lib:/usr/lib:/usr/local/lib in LD_LIBRARY_PATH.
> Are you planning to replicate those in the jail?
>
> Once you've done that, you still need to hack mod_cgi to translate
> those CGI environment variables that involve system paths.
>
> IOW, I think you're looking at a distinctly non-trivial project.
>
> --
> Nick Kew
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe [at] httpd
> " from the digest: users-digest-unsubscribe [at] httpd
> For additional commands, e-mail: users-help [at] httpd




---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe [at] httpd
" from the digest: users-digest-unsubscribe [at] httpd
For additional commands, e-mail: users-help [at] httpd


nick at webthing

Mar 14, 2004, 3:16 PM

Post #4 of 7 (581 views)
Permalink
RE: SuEXEC question [In reply to]
>
> If its deemed possible without compromising security, then I'll make the
> necessary patch.

In that case, you'd probably be better-off discussing it on the dev
list. People here are only users, except by coincidence.

FWIW, your reply suggests that you have sufficient background to make
(or at least attempt) such a patch - that was less clear in your
first post. But you'll have to convince people of your security model
and implementation, which implies a fairly meticulous design and
documentation process.

--
Nick Kew

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe [at] httpd
" from the digest: users-digest-unsubscribe [at] httpd
For additional commands, e-mail: users-help [at] httpd


pd at pauldemarco

Mar 14, 2004, 4:06 PM

Post #5 of 7 (565 views)
Permalink
RE: SuEXEC question [In reply to]
Fair enough, will contact the other list, I was looking to see if this had
come up before as well, and other users needs as well. More of a research
step prior to even development. Or even another way of doing everything,
that solves the problem, but in a totally different (already supported) way.

> -----Original Message-----
> From: Nick Kew [mailto:nick [at] webthing]
> Sent: Sunday, March 14, 2004 5:16 PM
> To: users [at] httpd
> Subject: RE: [users [at] http] SuEXEC question
>
> >
> > If its deemed possible without compromising security, then I'll make the
> > necessary patch.
>
> In that case, you'd probably be better-off discussing it on the dev
> list. People here are only users, except by coincidence.
>
> FWIW, your reply suggests that you have sufficient background to make
> (or at least attempt) such a patch - that was less clear in your
> first post. But you'll have to convince people of your security model
> and implementation, which implies a fairly meticulous design and
> documentation process.
>
> --
> Nick Kew
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe [at] httpd
> " from the digest: users-digest-unsubscribe [at] httpd
> For additional commands, e-mail: users-help [at] httpd




---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe [at] httpd
" from the digest: users-digest-unsubscribe [at] httpd
For additional commands, e-mail: users-help [at] httpd


gordon at eng

Oct 26, 2005, 10:12 AM

Post #6 of 7 (573 views)
Permalink
Re: suEXEC question [In reply to]
I see your point regarding sudo. This opens up a can of security-related
worms. Could anyone suggest a safe, reliable way to authenticate users
via Apache and then execute code as the user to do things like:

* change passwords
* turn off/on vacation

Regards,

Joshua Slive wrote:

>On 10/25/05, Gordon Thagard <gordon [at] eng> wrote:
>
>
>
>>After reading the security checks list it seems somewhat clear that only
>>the apache (perhaps the "nobody" user, as that's how I've set mine) user
>>can execute cgi or PHP code. I want users to be able to authenticate and
>>then be able to:
>>
>>a. change passwords
>>b. turn off/on vacation via /usr/local/bin/vacation
>>c. turn off/on spam filtering via adding/removing a pre-written
>>.mailfilter file into/out of the user's home directory
>>
>>Is this possible via the User directories usage description above or is
>>there another way or no way using Apache?
>>
>>
>
>No, this is not a good usage of suexec. You would need to put cgi
>scripts in each users home directory to make it work.
>
>You should look into sudo, but be very careful. Allowing access to
>regular accounts over the web is a good way to compromise your server.
>
>Joshua.
>
>

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe [at] httpd
" from the digest: users-digest-unsubscribe [at] httpd
For additional commands, e-mail: users-help [at] httpd


jslive at gmail

Oct 26, 2005, 1:18 PM

Post #7 of 7 (569 views)
Permalink
Re: suEXEC question [In reply to]
On 10/26/05, Gordon Thagard <gordon [at] eng> wrote:
> I see your point regarding sudo. This opens up a can of security-related
> worms. Could anyone suggest a safe, reliable way to authenticate users
> via Apache and then execute code as the user to do things like:
>
> * change passwords
> * turn off/on vacation

It is not sudo itself that is dangerous, it is the whole concept.
See
http://httpd.apache.org/docs/1.3/misc/FAQ.html#passwdauth
for discussion of some of the issues.

If I really had to do this, I would probably use an ordinary CGI
script on the apache-side, which would communicate with another
program that would use sudo to make the actual changes. The key would
be making the communication channel between the cgi script and this
other program as simple and secure as possible, and assuring that
input is checked carefully at each stage of processing.

Joshua.

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe [at] httpd
" from the digest: users-digest-unsubscribe [at] httpd
For additional commands, e-mail: users-help [at] httpd

Apache users RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact Gossamer Threads
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.