Bug#654545: apache2-suexec: some possible security improvements for suexec/suexec-custom

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#654545: apache2-suexec: some possible security improvements for suexec/suexec-custom
From: Christoph Anton Mitterer <calestyo@scientia.net>
Date: Wed, 04 Jan 2012 03:07:49 +0100
Message-id: <[🔎] 20120104020749.29168.53472.reportbug@heisenberg.scientia.net>
Reply-to: Christoph Anton Mitterer <calestyo@scientia.net>, 654545@bugs.debian.org

Package: apache2-suexec
Severity: normal


Hi.

Currently suexec is compiled with:
 -D AP_GID_MIN=100
 -D AP_UID_MIN=100
 -D AP_SAFE_PATH="/usr/local/bin:/usr/bin:/bin"


Some things that are perhaps worth to think about:
1) Is there a specific security reason not to include /sbin and /usr/sbin ?
I mean any CGI script can just manually call any binary in there.
Is it just to avoid accidental invocations of stuff in there?
And admittedly,.. most CGI-scripts should have probably no need for programs
from there.

2) /usr/local/bin
In Debian this is writable by members from the staff group.
Of course,... if root adds any user to this group he should know what he does.
But perhaps it would make also sense to drop it?
If a script really needs it, it can still just use the full path.

3) minimal UID and GID
In Debian the UIDs/GIDs are classified as follows:
http://www.debian.org/doc/debian-policy/ch-opersys.html#s9.2.2
It would probably break many setups,.. but perhaps it's worth thinkg about
increasing this to 1000.
Otherwise suexec can su to most system daemons...
OTO I'm of course well aware that this is in many cases what's wanted.
Have a look at bug #654543 for a possible even better solution (at least for suexec
-custom).


Cheers,
Chris.

Reply to:

Prev by Date: Bug#620398: solution by setting REFERRALS off
Next by Date: Bug#654764: Mitigate B.E.A.S.T attack
Previous by thread: Bug#620398: solution by setting REFERRALS off
Next by thread: Bug#654764: Mitigate B.E.A.S.T attack
Index(es):
- Date
- Thread