[cgiwrap-users] FW: Apache suexec
Brought to you by:
nneul
Menu
▾
▴
[cgiwrap-users] FW: Apache suexec
|
From: Neulinger, N. <nn...@um...> - 2001-10-24 13:43:54
|
-----Original Message----- From: Neulinger, Nathan Sent: Wednesday, October 24, 2001 8:43 AM To: bu...@se... Subject: RE: Apache suexec FYI - cgiwrap will have the same limitation, cause I don't check the aux groups for those same uid/gid limits. -- Nathan > -----Original Message----- > From: Stefanos Harhalakis [mailto:v1...@it...] > Sent: Tuesday, October 23, 2001 4:41 PM > To: bu...@se... > Subject: Apache suexec > > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > I've noticed something weird when using Apache and the > suexec wrapper. > Suexec is supposed not to change uid/gid to to anything less than > minuid/mingid. This is not so true. > > Suppose we have mingid==100 and a user with gid==0 which > belongs to groups > 123,234,345. Suexec will no execute and script for this user. > > Now suppose we have the same user with gid==123 which > belongs to groups0 > ,234,345. Suexec will execute any cgi without problem. The > running cgi will > be a member of all those groups. > > This can be tested by simply running a shell script which calls id. > > I've found http://bugs.apache.org/index.cgi/full/1001 dated > Sat Aug 16 13:39:01 1997. This is known for a long time but > there is nothing > done. At least there should be a note in the docs. I don't > think that there > exist a case where having gid<mingid is insecure, but being a > member of a > group with gid<mingid is secure. > > <<V13>> > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.0.6 (GNU/Linux) > Comment: For info see http://www.gnupg.org > > iD8DBQE71eP1beTfnxxoC7oRAnfJAJ93brLvwrkOoyr4IZBzg0rAFFnEdACePPhZ > brpjfoY3/ek04hP8TdBbGqU= > =tAt7 > -----END PGP SIGNATURE----- > |
