Bug#340946: suexec's standard configuration prevents suexec of /usr/lib/cgi-bin
Hi,
> suexec2's docroot being set to /var/www means that it is not
> possible to have cgi scripts that come from Debian packages (and
> thus are located in /usr/lib/cgi-bin as required by Debian policy
> and FHS) to be executed under suexec.
>
> Please consider compiling suexec2 with docroot=/ to remedy this,
> and to solve #312252 as well.
Docroot=/ seems like a bad idea from a security point of view. Also,
suexec requires the executed script and the directory containing the
script to be owned by the target user (and this is an important part
of the security model to protect from local vulnerabilities).
Since /usr/lib/cgi-bin/* is owned by root, allowing this directory
in the docroot does not give you that much. You would also have to
use dpkg-statoverride. But if you do that, you can also use
dpkg-divert to move the cgi from /usr/lib/cgi-bin to /var/www and
have no problems.
Cheers,
Stefan
Reply to: