Bug#340946: suexec's standard configuration prevents suexec of /usr/lib/cgi-bin

To: Marc Haber <mh+debian-bugs@zugschlus.de>
Cc: 340946@bugs.debian.org
Subject: Bug#340946: suexec's standard configuration prevents suexec of /usr/lib/cgi-bin
From: Stefan Fritsch <sf@sfritsch.de>
Date: Thu, 13 Mar 2008 16:57:41 +0100
Message-id: <[🔎] 200803131657.41613.sf@sfritsch.de>
Reply-to: Stefan Fritsch <sf@sfritsch.de>, 340946@bugs.debian.org

Hi,

> suexec2's docroot being set to /var/www means that it is not
> possible to have cgi scripts that come from Debian packages (and
> thus are located in /usr/lib/cgi-bin as required by Debian policy
> and FHS) to be executed under suexec.
>
> Please consider compiling suexec2 with docroot=/ to remedy this,
> and to solve #312252 as well.

Docroot=/ seems like a bad idea from a security point of view. Also, 
suexec requires the executed script and the directory containing the 
script to be owned by the target user (and this is an important part 
of the security model to protect from local vulnerabilities). 
Since /usr/lib/cgi-bin/* is owned by root, allowing this directory  
in the docroot does not give you that much. You would also have to 
use dpkg-statoverride. But if you do that, you can also use 
dpkg-divert to move the cgi from /usr/lib/cgi-bin to /var/www and 
have no problems.

Cheers,
Stefan

Reply to:

Prev by Date: Processed: tagging 462458
Next by Date: Bug#470652: apache2.2-common: mod_cache doesn't handle If-Range correctly
Previous by thread: Processed: tagging 462458
Next by thread: Bug#470795: RFH: apache2 - Co-maintainer wanted
Index(es):
- Date
- Thread