mod-security-users

[mod-security-users] Patch to avoid mod_security execute upload approve scripts with suEXEC

[<mb...@co...>]

Hi,

this is also a followup to Justin Grindea and "clamav perl scrip and su_e=
xec".

We faced the same problem and considered it a design error for an upload =
approve
script to be called using suEXEC for these two reasons:

1. suEXEC executes CGIs as different users, which might                =20
   not have access to the uploaded files (which are usually            =20
   in /tmp and owned by www-data:www-data, permissions 600)            =20
                                                                       =20
2. suEXEC check 18, "Is the target user/group the same as              =20
   the program's user/group?" means for us that we would need          =20
   as many upload approve scripts as virtual hosts, each               =20
   owned by the user the respective virtual host runs his              =20
   CGIs under.                                                         =20

The solution in the attached patch is to avoid ap_call_exec() using suEXE=
C.

Most likely, soemone with more experience in apache programming can boil =
this
patch down to the essentials. It runs on our test system as intended, but=
 we
didn't put it into production use yet. It would be nice to get some feedb=
ack first.

The patch is against mod_security.c of the apache1 directory of the curre=
nt
1.9.1 release of mod_security.

Kindest regards,
 Michael Bunk

-----------------------------------------
Gesendet mit Computer Leipzig - WebMail
http://www.computer-leipzig.de

Re: [mod-security-users] Patch to avoid mod_security execute upload approve scripts with suEXEC

[Ivan R. <iv...@we...>]

mb...@co... wrote:
> Hi,
> 
> this is also a followup to Justin Grindea and "clamav perl scrip and su_exec".
> 
> We faced the same problem and considered it a design error for an upload approve
> script to be called using suEXEC for these two reasons:
> 
> 1. suEXEC executes CGIs as different users, which might                 
>    not have access to the uploaded files (which are usually             
>    in /tmp and owned by www-data:www-data, permissions 600)             
>                                                                         
> 2. suEXEC check 18, "Is the target user/group the same as               
>    the program's user/group?" means for us that we would need           
>    as many upload approve scripts as virtual hosts, each                
>    owned by the user the respective virtual host runs his               
>    CGIs under.                                                          

  Hi Michael,

  You (and other users that complained in the past) have convinced
  me. In 1.9.2 there will be a compile-time switch DISABLE_SUEXEC
  to take SuEXEC away. If that works well I will make it the
  default option in 2.x.

  Thank you for your input.

-- 
Ivan Ristic
Apache Security (O'Reilly) - http://www.apachesecurity.net
Open source web application firewall - http://www.modsecurity.org

Re: [mod-security-users] Patch to avoid mod_security execute upload approve scripts with suEXEC

[Michael B. <mb...@co...>]

Hi Ivan,

Sounds fine, thanks.

Michael

On Monday 19 December 2005 20:17, Ivan Ristic wrote:
...
>   Hi Michael,
>
>   You (and other users that complained in the past) have convinced
>   me. In 1.9.2 there will be a compile-time switch DISABLE_SUEXEC
>   to take SuEXEC away. If that works well I will make it the
>   default option in 2.x.
>
>   Thank you for your input.