Re: enabling suexec with debian apache [solved]

To: Joe Block <jpb@creol.ucf.edu>
Cc: Robert Varga <robi@piros.zold.net>, Debian User List <debian-user@lists.debian.org>, Marko Cehaja <marko@magikomik.de>, recipient list not shown: ;
Subject: Re: enabling suexec with debian apache [solved]
From: Adam Shand <larry@alaska.net>
Date: Mon, 21 Feb 2000 12:58:11 -0900 (AKST)
Message-id: <[🔎] Pine.LNX.4.21.0002211250590.1956-100000@heyzeus.alaska.net>
In-reply-to: <[🔎] 38B1AEC7.D4F37316@creol.ucf.edu>

> > It is not only what they write, but what they set the permissions to, as
> > well. I know, this is also what they should learn. But with
> > exploitable setuid cgi-s, and one can never be sure that his code is
> > unexploitable, not only his cgi datafiles, but all files can be accessed
> > and modified as well.

the fact that a script is suid doesn't meet diddley.  that a script is suid
to a *privledged* user (eg. root) is important.  the suexec binary itself is
suidroot ... but it gets executed by apache itself, and all it does is make
sure user cgi/ssi's get executed as the correct user that is associated with
that virtual domain or ~user account.

suexec doesn't cause users cgi/ssi's to run suid, it is suid itself.

> So create a second account, usercgi for the people who need to use cgis
> and don't have the time/knowledge to secure them.

this doesn't really solve the problem.  it means that users cgi's can't
screw with the server's stuff but it doesn't stop them from messing with
each others stuff.

> I still don't see where having all the users share one uid for their
> cgis is better than having them use their own id - at least the damage
> is limited to one user rather than all of them.

it depends on your environment.  if you are running a server where if a
users data gets trashed because of another users malicious or incompetant
cgi it's just their bad luck ... then suexec (or something like
cgiwrap) doesn't really do you much good.  however if you are an isp and one
of your customers data gets trashed it doesn't really matter why it happened
or who's fault it is, it's going to reflect poorly on you.  so protecting
customers from their own and each others stupidity is part of the job.

you are correct though, having cgi/ssi's run as a differnt user for each
domain/~user account is better then all user cgi/ssi's running as one
unprivledged account.  given how easy suexec/cgiwrap are to setup as well
there is no real benifit (other then laziness) in not doing this.

adam.

Reply to:

References:
- Re: enabling suexec with debian apache [solved]
  - From: Joe Block <jpb@creol.ucf.edu>

Prev by Date: Re: your mail
Next by Date: What *is* Gnome/KDE?
Previous by thread: Re: enabling suexec with debian apache [solved]
Next by thread: Re: enabling suexec with debian apache [solved]
Index(es):
- Date
- Thread