[22971] in bugtraq
Apache suexec
daemon@ATHENA.MIT.EDU (Stefanos Harhalakis)
Wed Oct 24 00:37:18 2001
Message-Id: <200110232141.AAA03585@ppp0.the.forthnet.gr>
Content-Type: text/plain;
charset="iso-8859-1"
From: Stefanos Harhalakis <v13@it.teithe.gr>
To: bugtraq@securityfocus.com
Date: Wed, 24 Oct 2001 00:41:05 +0300
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
I've noticed something weird when using Apache and the suexec wrapper.
Suexec is supposed not to change uid/gid to to anything less than
minuid/mingid. This is not so true.
Suppose we have mingid==100 and a user with gid==0 which belongs to groups
123,234,345. Suexec will no execute and script for this user.
Now suppose we have the same user with gid==123 which belongs to groups0
,234,345. Suexec will execute any cgi without problem. The running cgi will
be a member of all those groups.
This can be tested by simply running a shell script which calls id.
I've found http://bugs.apache.org/index.cgi/full/1001 dated
Sat Aug 16 13:39:01 1997. This is known for a long time but there is nothing
done. At least there should be a note in the docs. I don't think that there
exist a case where having gid<mingid is insecure, but being a member of a
group with gid<mingid is secure.
<<V13>>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org
iD8DBQE71eP1beTfnxxoC7oRAnfJAJ93brLvwrkOoyr4IZBzg0rAFFnEdACePPhZ
brpjfoY3/ek04hP8TdBbGqU=
=tAt7
-----END PGP SIGNATURE-----
