[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#499191: Possible security issues

Stefan Fritsch wrote:
> On Wednesday 04 February 2009, Alexander Prinsier wrote:
>>> You are just considering pure web servers. On a machine that has
>>> a web server running but is also used for other things, users'
>>> home directories will contain many things that are not readable
>>> by the user www-data. If you have some insecure cgi script that
>>> allows to read arbitrary files, every local user would be able to
>>> read ~/.ssh/id_rsa of every other local user. This is not
>>> possible with the current, tighter suexec.
>> I wasn't just considering web servers. On a shell server, regular
>> users can't execute suexec (only www-data can). I'm only
>> considering the case where www-data is a trusted user (as in,
>> regular users can't execute things as www-data).
> 
> This limitation is trivial to bypass, see below.

Well yeah, if you misconfigure your system, it's easy to bypass all
sorts of things :), like you illustrated below. (misconfigured because
you apparently allow the execution of any binary as any user).

I'm assuming nobody can execute as www-data. www-data is supposed to be
a trusted user.

I didn't really check the security impact when www-data isn't trusted,
but my first thought is that it's still OK then, as long as your docroot
is set correctly.

You can make www-data trusted by forcing all cgi's to be executed using
suexec. Yes I know the default setup is not like this.

> That's not what I meant. What I meant is that mod_php in the default 
> configuration allows the following:
> 
> User1 creates a script in /home/user1/public_html/cat.php with 
> contents:
> 
> <?php
> passthru("cd /bin; /usr/lib/apache2/suexec user2 user2 
> cat /home/user2/.ssh/id_rsa");

How would suexec allow the execution of /bin/cat which is outside the
docroot?

In my patch the program to be executed needs to be either in the
docroot, owned by the target user/group, or it needs to be in the
cgi_docroot, owned by root/root. cgi_docroot would typically be
/usr/lib/cgi-bin. /bin/cat doesn't get through the checks (unless
misconfigured).

So if supposing you allow users to execute as www-data AND you got some
bad cgi in the cgi_docroot, only then you got a problem.

> This does not actually work _only_ because suexec checks the docroot 
> and the owner of the executed program. Therefore it would be foolish 
> to remove both these checks.
> 
> But even if you only remove the owner check, you are still trusting 
> that it is safe if one user can exec everything in your docroot as 
> any other user. I don't think this is a good idea.

I'm not really removing a check. I'm only making the exception that a
cgi in /usr/lib/cgi-bin owned by root/root is good to be executed as any
target user.

I believe you have the exact same security impact by copying all cgi's
in /usr/lib/cgi-bin to the users's public_html directory. If the cgi's
you put in /usr/lib/cgi-bin are "safe", then my patch has no security
impact.

Thanks for taking the time to discuss this.

Alexander
Reply to: