Bug#499191: Possible security issues
Stefan Fritsch wrote:
> On Wednesday 04 February 2009, Alexander Prinsier wrote:
>>> You are just considering pure web servers. On a machine that has
>>> a web server running but is also used for other things, users'
>>> home directories will contain many things that are not readable
>>> by the user www-data. If you have some insecure cgi script that
>>> allows to read arbitrary files, every local user would be able to
>>> read ~/.ssh/id_rsa of every other local user. This is not
>>> possible with the current, tighter suexec.
>> I wasn't just considering web servers. On a shell server, regular
>> users can't execute suexec (only www-data can). I'm only
>> considering the case where www-data is a trusted user (as in,
>> regular users can't execute things as www-data).
>
> This limitation is trivial to bypass, see below.
Well yeah, if you misconfigure your system, it's easy to bypass all
sorts of things :), like you illustrated below. (misconfigured because
you apparently allow the execution of any binary as any user).
I'm assuming nobody can execute as www-data. www-data is supposed to be
a trusted user.
I didn't really check the security impact when www-data isn't trusted,
but my first thought is that it's still OK then, as long as your docroot
is set correctly.
You can make www-data trusted by forcing all cgi's to be executed using
suexec. Yes I know the default setup is not like this.
> That's not what I meant. What I meant is that mod_php in the default
> configuration allows the following:
>
> User1 creates a script in /home/user1/public_html/cat.php with
> contents:
>
> <?php
> passthru("cd /bin; /usr/lib/apache2/suexec user2 user2
> cat /home/user2/.ssh/id_rsa");
How would suexec allow the execution of /bin/cat which is outside the
docroot?
In my patch the program to be executed needs to be either in the
docroot, owned by the target user/group, or it needs to be in the
cgi_docroot, owned by root/root. cgi_docroot would typically be
/usr/lib/cgi-bin. /bin/cat doesn't get through the checks (unless
misconfigured).
So if supposing you allow users to execute as www-data AND you got some
bad cgi in the cgi_docroot, only then you got a problem.
> This does not actually work _only_ because suexec checks the docroot
> and the owner of the executed program. Therefore it would be foolish
> to remove both these checks.
>
> But even if you only remove the owner check, you are still trusting
> that it is safe if one user can exec everything in your docroot as
> any other user. I don't think this is a good idea.
I'm not really removing a check. I'm only making the exception that a
cgi in /usr/lib/cgi-bin owned by root/root is good to be executed as any
target user.
I believe you have the exact same security impact by copying all cgi's
in /usr/lib/cgi-bin to the users's public_html directory. If the cgi's
you put in /usr/lib/cgi-bin are "safe", then my patch has no security
impact.
Thanks for taking the time to discuss this.
Alexander
Reply to: