Bug#607755: apache2: suexec-custom does not allow docroot=/ (trailing slash gets removed)
tags 607755 wontfix
thanks
On Tuesday 21 December 2010, Daniel Hahler wrote:
> I want to use suexec-custom for a setup using mod_chroot, and
> therefore want/have to use a DocumentRoot of "/" (which is the
> root of the chroot).
>
> Unfortunately there appears to be a bug in
> debian/patches/202_suexec-custom.dpatch, function read_line, where
> trailing space and slash get removed.
> A trainling slash should not get removed here if it is the only
> char (and refers to the root directory).
This is not a bug, but intentional (see the suexec man page in the
apache2-suexec-custom package). Setting the docroot setting of suexec
to / introduces a local privilege escalation vulnerability (at least
in a non-chrooted environment). Therefore I will not lift this
restriction.
However, I do invite you to discuss with me on the debian-apache
mailing list how a reasonable chroot setup could look like. The result
could then be documented on [1] and maybe be included in README.Debian
in a future version.
I think for simple setups without cgi/fastcgi/..., the built-in
chrootdir directive should simply work (i.e. ChrootDir /var/www).
For more complicated setups, it may be better to have something like
this: The chroot in e.g. /srv/www, the html data in /srv/www/var/www,
the DocumentRoot setting in Apache as /var/www. The real /var/www
outside the chroot then must be a symlink to /srv/www/var/www.
With such a setup, you can copy stuff into the chroot in a way that
all paths are identical inside and outside of the chroot. If your
webapp has some configuration data e.g. in /etc/webapp, make that a
symlink to /srv/www/etc/webapp and put the files there.
Does this sound like it could work for you?
[1] http://wiki.debian.org/Apache/Hardening
Reply to: