Bug#499191: Possible security issues
Stefan Fritsch wrote:
> On Wednesday 04 February 2009, Alexander Prinsier wrote:
>> Well yeah, if you misconfigure your system, it's easy to bypass all
>> sorts of things :), like you illustrated below. (misconfigured
>> because you apparently allow the execution of any binary as any
> Considering that the majority of all systems with mod_php is
> misconfigured in this way, one should not ship a package that relies
> on the system not having this configuration. Especially since nearly
> no admins are aware of the implications of suexec for local security.
Ok that's an issue... Could be resolved by disabling any new
functionality by default and putting a big fat warning on the screen
when trying to enable it.
>> I believe you have the exact same security impact by copying all
>> cgi's in /usr/lib/cgi-bin to the users's public_html directory. If
>> the cgi's you put in /usr/lib/cgi-bin are "safe", then my patch has
>> no security impact.
> That's not correct. With your patch you can execute the programs as
> any user (including system users). With the normal suexec you can
> only execucte the programs as those users, where you copied them to
> the public_html directory. This is equivalent to some whitelist that
> has to be configured by the admin.
Only if the user can execute as www-data, which I assumed was
Even then, suexec checks the uid/gid is above some minimum, ruling out
system users. That makes suexec resemble more a blacklist than a
whitelist. So you're right my equivalence above is not 100% correct. In
my use case though, the two would be equivalent (because I want to allow
any non-system user to execute the cgi using suexec).
> Maybe it would be an option to make the list/range of users
> configurable that suexec will switch to, with no user allowed by
> default. Or one could store that allowed user list in the xattrs of
> every program in the suexec cgi dir.
That's a nice idea to store that in the xattrs of the cgi's. But that
list would have to include any user on the system, except the few system
users... It's not very convenient. And then you're assuming a user can
execute as www-data.
The min_uid and min_gid like suexec uses already is far more easy to
administer. But it gives you less flexibility as with the xattrs idea,
because then suexec uses a blacklist instead of a whitelist. Still, in
99% of the cases, people don't need such a whitelist.
I really think this cgi_docroot should only be used when users can't
execute as www-data, and the admin is fully documented about it's
impact. Discussing the impact when a user could execute as www-data is