[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#499191: apache2-suexec-custom: Allow execution of programs owned by root

On Thursday 02 October 2008, Alexander Prinsier wrote:
> > Apart from that, allowing scripts owned by root to be executed as
> > any user would certainly create (local) security issues. Using a
> > dedicated user might be possible, though.
>
> Why would running a root-owned script as a local user create a
> security issue?

Not so. But this would mean that in many setups, any user would be 
allowed to execute any root-owned program under the document root 
that has mode +x as any _other_ user (above uid 100). This is 
something that no admin would expect. The restriction that suexec can 
only be executed by apache can often be circumvented. E.g. if user 
are allowed to create php scripts in ~/public_html.

> > But I intend to keep apache2-suexec-custom as close as possible
> > to the normal suexec and would prefer to not add any more
> > features.
>
> I understand that. The patch is quite trivial though. Are there any
> other options besides maintaining my local patch?

For lenny there isn't. For the next release after lenny we can think 
about it again.
Reply to: