Bug#499191: Possible security issues

To: Alexander Prinsier <aphexer@mailhaven.com>
Cc: 499191@bugs.debian.org
Subject: Bug#499191: Possible security issues
From: Stefan Fritsch <sf@sfritsch.de>
Date: Sat, 7 Feb 2009 16:51:02 +0100
Message-id: <[🔎] 200902071651.02627.sf@sfritsch.de>
Reply-to: sf@sfritsch.de, 499191@bugs.debian.org, 499191@bugs.debian.org
In-reply-to: <[🔎] 4989F6B8.2090004@mailhaven.com>
References: <497AF449.1070600@mailhaven.com> <[🔎] 200902042031.03682.sf@sfritsch.de> <[🔎] 4989F6B8.2090004@mailhaven.com>

On Wednesday 04 February 2009, Alexander Prinsier wrote:
> Well yeah, if you misconfigure your system, it's easy to bypass all
> sorts of things :), like you illustrated below. (misconfigured
> because you apparently allow the execution of any binary as any
> user).

Considering that the majority of all systems with mod_php is 
misconfigured in this way, one should not ship a package that relies 
on the system not having this configuration. Especially since nearly 
no admins are aware of the implications of suexec for local security.

> > This does not actually work _only_ because suexec checks the
> > docroot and the owner of the executed program. Therefore it would
> > be foolish to remove both these checks.
> >
> > But even if you only remove the owner check, you are still
> > trusting that it is safe if one user can exec everything in your
> > docroot as any other user. I don't think this is a good idea.
>
> I'm not really removing a check. I'm only making the exception that
> a cgi in /usr/lib/cgi-bin owned by root/root is good to be executed
> as any target user.

Yes, you remove one of the two main barriers against exploitation by 
local users. This makes it much more likely that an programming error 
results in exploitable security issues.

> I believe you have the exact same security impact by copying all
> cgi's in /usr/lib/cgi-bin to the users's public_html directory. If
> the cgi's you put in /usr/lib/cgi-bin are "safe", then my patch has
> no security impact.

That's not correct. With your patch you can execute the programs as 
any user (including system users). With the normal suexec you can 
only execucte the programs as those users, where you copied them to 
the public_html directory. This is equivalent to some whitelist that 
has to be configured by the admin.

Maybe it would be an option to make the list/range of users 
configurable that suexec will switch to, with no user allowed by 
default. Or one could store that allowed user list in the xattrs of 
every program in the suexec cgi dir.

Reply to:

Follow-Ups:
- Bug#499191: Possible security issues
  - From: Alexander Prinsier <aphexer@mailhaven.com>

References:
- Bug#499191: Possible security issues
  - From: Stefan Fritsch <sf@sfritsch.de>
- Bug#499191: Possible security issues
  - From: Alexander Prinsier <aphexer@mailhaven.com>

Prev by Date: Bug#514376: ssl-cert: [INTL:sk] Slovak po-debconf translation
Next by Date: Bug#499191: Possible security issues
Previous by thread: Bug#499191: Possible security issues
Next by thread: Bug#499191: Possible security issues
Index(es):
- Date
- Thread