Bug#299191: apache2-common: suexec sets incorrect gid and groups
Package: apache2-common
Version: 2.0.53-5
Severity: grave
Justification: user security hole
I'm fairly certain this is specific to the MIPS port. I looked at the
source and did some tests and am a bit perplexed. I thought it was a
signedness issue, integer overflow I think they call it. In any case
here's the rundown. Apache is running as nobody/nogroup (65534/65534).
I was having some luser errors with a CGI script so I dropped a simple
command execution script in /usr/lib/cgi-bin/ to see if CGI worked in
general which it does. In any case I ran /usr/bin/id and noticed my gid
was wrong as well as my groups. I created a file just to ensure the
problem wasn't within id and did an ls on the file. It seems that it's a
problem with suexec itself. My box is slow as can be and I've just about
given up trying to build it from source and see for myself but I imagine
that perhaps this is built with a cross-compiler. And that somehow the
signedness is incured in this fashion. I did test getgrnam and it
returns correct information. Here's some output from my lil' script:
$ id
uid=65534(nobody) gid=1(daemon) groups=4294967295
$ touch /tmp/nobody_was_here
$ ls -l /tmp/nobody_was_here
-rw-r--r-- 1 nobody 4294967295 0 Mar 12 05:11 /tmp/nobody_was_here
Anyways this can in theory lead to some strange privelege elevation
given the gid of daemon. I chose grave since it seemed fitting although
in truth it's probably not a huge issue? There were no error logged.
Anyways if I can fix strace to work or get this to compile I might be
able to send a patch or more useful info. For now it's still running
configure... ;)
peace,
core
-- System Information:
Debian Release: 3.1
APT prefers testing
APT policy: (500, 'testing')
Architecture: mipsel (mips)
Kernel: Linux 2.4.27-r5k-cobalt
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)
Versions of packages apache2-common depends on:
ii apache2-utils 2.0.53-5 utility programs for webservers
ii debconf 1.4.30.11 Debian configuration management sy
ii debianutils 2.8.4 Miscellaneous utilities specific t
ii libc6 2.3.2.ds1-20 GNU C Library: Shared libraries an
ii libdb4.2 4.2.52-18 Berkeley v4.2 Database Libraries [
ii libexpat1 1.95.8-1 XML parsing C library - runtime li
ii libgcc1 1:3.4.3-6 GCC support library
ii libmagic1 4.12-1 File type determination library us
ii mime-support 3.28-1 MIME files 'mime.types' & 'mailcap
ii net-tools 1.60-10 The NET-3 networking toolkit
ii openssl 0.9.7e-2 Secure Socket Layer (SSL) binary a
ii ssl-cert 1.0-11 Simple debconf wrapper for openssl
-- no debconf information
Reply to: