[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#607755: apache2: suexec-custom does not allow docroot=/ (trailing slash gets removed)



tags 607755 wontfix
thanks

On Tuesday 21 December 2010, Daniel Hahler wrote:
> I want to use suexec-custom for a setup using mod_chroot, and
> therefore want/have to use a DocumentRoot of "/" (which is the
> root of the chroot).
> 
> Unfortunately there appears to be a bug in
> debian/patches/202_suexec-custom.dpatch, function read_line, where
> trailing space and slash get removed.
> A trainling slash should not get removed here if it is the only
> char (and refers to the root directory).

This is not a bug, but intentional (see the suexec man page in the 
apache2-suexec-custom package). Setting the docroot setting of suexec 
to / introduces a local privilege escalation vulnerability (at least 
in a non-chrooted environment). Therefore I will not lift this 
restriction.

However, I do invite you to discuss with me on the debian-apache 
mailing list how a reasonable chroot setup could look like. The result 
could then be documented on [1] and maybe be included in README.Debian 
in a future version.

I think for simple setups without cgi/fastcgi/..., the built-in 
chrootdir directive should simply work (i.e. ChrootDir /var/www).

For more complicated setups, it may be better to have something like 
this: The chroot in e.g. /srv/www, the html data in /srv/www/var/www, 
the DocumentRoot setting in Apache as /var/www. The real /var/www 
outside the chroot then must be a symlink to /srv/www/var/www.
With such a setup, you can copy stuff into the chroot in a way that 
all paths are identical inside and outside of the chroot. If your 
webapp has some configuration data e.g. in /etc/webapp, make that a 
symlink to /srv/www/etc/webapp and put the files there.

Does this sound like it could work for you?

[1] http://wiki.debian.org/Apache/Hardening



Reply to: