Bug#499191: Possible security issues
On Wednesday 04 February 2009, Alexander Prinsier wrote:
> Well yeah, if you misconfigure your system, it's easy to bypass all
> sorts of things :), like you illustrated below. (misconfigured
> because you apparently allow the execution of any binary as any
Considering that the majority of all systems with mod_php is
misconfigured in this way, one should not ship a package that relies
on the system not having this configuration. Especially since nearly
no admins are aware of the implications of suexec for local security.
> > This does not actually work _only_ because suexec checks the
> > docroot and the owner of the executed program. Therefore it would
> > be foolish to remove both these checks.
> > But even if you only remove the owner check, you are still
> > trusting that it is safe if one user can exec everything in your
> > docroot as any other user. I don't think this is a good idea.
> I'm not really removing a check. I'm only making the exception that
> a cgi in /usr/lib/cgi-bin owned by root/root is good to be executed
> as any target user.
Yes, you remove one of the two main barriers against exploitation by
local users. This makes it much more likely that an programming error
results in exploitable security issues.
> I believe you have the exact same security impact by copying all
> cgi's in /usr/lib/cgi-bin to the users's public_html directory. If
> the cgi's you put in /usr/lib/cgi-bin are "safe", then my patch has
> no security impact.
That's not correct. With your patch you can execute the programs as
any user (including system users). With the normal suexec you can
only execucte the programs as those users, where you copied them to
the public_html directory. This is equivalent to some whitelist that
has to be configured by the admin.
Maybe it would be an option to make the list/range of users
configurable that suexec will switch to, with no user allowed by
default. Or one could store that allowed user list in the xattrs of
every program in the suexec cgi dir.