Bug#488821: apache2-suexec: suexec configuration change demands extensive system changes
Hi Michael,
On Wednesday 02 July 2008, Michael Alan Dorman wrote:
> First, I would like to apologize for my rather terse initial
> message---it took me a while to figure out that I needed to install
> a new package (perhaps it warrants a recommends or at least
> suggests, so it shows up somewhere?), and then once it was
> installed, a while longer to figure out why that didn't help.
apache2.2-common suggests apache2-suexec. A recommends would not be
appropriate because the point of the separate package is that it is
not installed by default (and apt pulls in recommended packages by
default). But I would recommend you to install apt-listchanges. It
will display relevant sections of NEWS.Debian during upgrades.
> Second, I would like to thank you for your effort in maintaining
> apache---it's an important piece of software that I suspect only
> earns you annoying messages like this when it breaks, and precious
> little thanks when it "just works".
That is certainly appreciated.
> > Allowing suexec to change to random system users is bad from a
> > security point of view. Therefore the minimum uid of 100 should
> > be changed to some higher value. Now the question is if it is
> > possible to make that change in a less disrupting way. A
> > compromise would be to raise it to 200 and not 1000. This would
> > exclude automatically created system accounts on most systems and
> > mean a significant gain in security. Would this be helpful? Is
> > the user you want to switch to created by some Debian package or
> > have you created it manually?
>
> That the bound is arbitrary seems to me a pretty clear indicator
> that it's value for security is limited.
>
> While I could definitely understand disallowing root, and even
> userids that are guaranteed to be on the system, and thus represent
> known quantities---which is what the old limit did---you can have
> no knowledge of exactly how many or to what use userids are
> assigned and how they are used.
Users like sshd and mysql have no fixed uid but are guaranteed to be
in the low 100s range. Those are the users I wanted to disallow.
> Finally, when one considers the *many other* constraints on
> suexec---the executable must in in a particular location, it must
> be owned by the user in question, etc---I think your assertion that
> there are gains in security as a result this change in an arbitrary
> lower bound is questionable.
Many of the suexec restrictions are in there to guard against bugs in
suexec. For example, there has been a race condition in suexec that
could be used to circumvent the owner checks in some obscure
circumstances. Similar or worse issues can happen again. But maybe
the gain is not large enough to warrant disrupting many system
configurations. I will change it back for now. Maybe the
apache2-suexec-custom could be extended to make the minimum uid
configurable. Then the standard suexec could be changed to min uid
1000. But this will not happen in time for lenny.
> you. At least be kind enough to your users to announce in
> NEWS.Debian that you might be about to break their system. :)
The min user id change was announced in NEWS.Debian, just like the
move to a separate package.
Cheers,
Stefan
Reply to: