Bug#785740: marked as done (apache2-suexec-custom always reads www-data config)

[owner@bugs.debian.org (Debian Bug Tracking System)]

Your message dated Wed, 20 May 2015 20:46:41 +0200
with message-id <6541761.DvnIUohJ5m@k>
and subject line Re: Bug#785740: apache2-suexec-custom always reads www-data config
has caused the Debian Bug report #785740,
regarding apache2-suexec-custom always reads www-data config
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
785740: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=785740
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

• To: submit@bugs.debian.org
• Subject: apache2-suexec-custom always reads www-data config
• From: muench_horst@web.de
• Date: Tue, 19 May 2015 20:39:54 +0200
• Message-id: <[🔎] trinity-0acd157b-9665-4b04-aaba-8198609a8f5d-1432060794490@3capp-webde-bs24>

Package: apache2-suexec-custom
Version: 2.4.10-10


The apache2-suexec-custom manpage says that suexec will read the calling user's /etc/apache2/suexec/username configuration file. Unfortunately, the calling user is always www-data, so it always ends up reading /etc/apache2/suexec/www-data regardless of the owner of the script being executed.

I think this is because the configuration filename is obtained by

asprintf(&filename, SUEXEC_CONFIG_DIR "%s", pw->pw_name)

where pw comes from

     uid = getuid();
     if ((pw = getpwuid(uid)) == NULL) {

right at the beginning of main() when uid is still that of www-data. It should be obtained from target_uname instead.

$ uname -v
#1 SMP Debian 3.16.7-ckt9-3~deb8u1 (2015-04-24)

--- End Message ---

--- Begin Message ---

• To: muench_horst@web.de, 785740-done@bugs.debian.org
• Subject: Re: Bug#785740: apache2-suexec-custom always reads www-data config
• From: Stefan Fritsch <sf@sfritsch.de>
• Date: Wed, 20 May 2015 20:46:41 +0200
• Message-id: <6541761.DvnIUohJ5m@k>
• In-reply-to: <[🔎] trinity-0acd157b-9665-4b04-aaba-8198609a8f5d-1432060794490@3capp-webde-bs24>
• References: <[🔎] trinity-0acd157b-9665-4b04-aaba-8198609a8f5d-1432060794490@3capp-webde-bs24>

On Tuesday 19 May 2015 20:39:54, muench_horst@web.de wrote:
> Package: apache2-suexec-custom
> Version: 2.4.10-10
> 
> 
> The apache2-suexec-custom manpage says that suexec will read the
> calling user's /etc/apache2/suexec/username configuration file.
> Unfortunately, the calling user is always www-data, so it always
> ends up reading /etc/apache2/suexec/www-data regardless of the
> owner of the script being executed.

This works as intended. And I think it is even documented correctly:

"By creating  several  config  files,  you  can
allow several different apache run users to use suexec"

The idea is to be able to have different apache2 processes running as 
different users be able to use different suexec configs.



> I think this is because the configuration filename is obtained by
> 
> asprintf(&filename, SUEXEC_CONFIG_DIR "%s", pw->pw_name)
> 
> where pw comes from
> 
>      uid = getuid();
>      if ((pw = getpwuid(uid)) == NULL) {
> 
> right at the beginning of main() when uid is still that of www-data.
> It should be obtained from target_uname instead.

target_uname does not come from a trusted source. A local attacker can 
set it to whatever he wants.

> 
> $ uname -v
> #1 SMP Debian 3.16.7-ckt9-3~deb8u1 (2015-04-24)

--- End Message ---