Suexec with Apache 1.3.29

Mikkel Christensen mikkel at talkactive.net
Thu Apr 29 10:13:17 PDT 2004 

On Thursday 29 April 2004 14:22, Marty Landman wrote:
> At 10:06 AM 4/29/2004, Mikkel Christensen wrote:
> 
> >This seems extremely strange to me.
> 
> Why is it strange? The reason I kept trying to install suexec was because 
> until I did, the development environment I set up on my LAN could mirror 
> that on my real sites with the exception that all the files & directories 
> had to be given 777 or equivalent permissions. Otherwise with the user 
> running my cgi's being nobody aka www or httpd files couldn't be written 
> to, created, deleted etc.. With the types of web apps I write this was 
> becoming not only a royal pain, also a constant reminder to me that my 
> local environment was as insecure as it could be; of course it's strictly 
> local so not a problem.

Okay, I can see your point.
But, I still find it annoying that suexec wont execute a script that is owned by a particular user if another user has group rights to the script.
Eg I would like execution to be run under user1, both the User end Group.

My idea is that if the file is owned by user1 and the file's group is www it would give more possibilities to the user for denying other users access.

Eg. the user (user1) could deny other regular users on the server access by sætting chmod xx0.
He could allow the webserver to read his files with chmod x4x and the give execution, read and write rights to himself with chmod 7xx.
Now he has to give the webserver the same rights as everybody else on the server. This is a problem if he stores passwords in a php-script. Apache will interpret it and therefore not let anyone se the source while other users can read the content as they please.
This seems to be more unsecure, or am I wrong?
I get the idea that if other group members have access to the file they could potentially write their own content. Bus usually the group doen's have write access to files. And also, no users are members of the www group by default.

> 
> >But following theese rules it works as it should.
> 
> With suexec running, a cgi gets set to 744 or 700 instead of 755; a data 
> file e.g. log or count file gets 644 or 600 instead of 666. It's amazing to 
> me that more vandalism and cross site scripting doesn't occur given the 
> servers that still don't run suexec, or the users that aren't hip to using 
> it properly for setting permissions when the server does support it.
> 

 Can't argue with that:)

- Mikkel

More information about the freebsd-questions mailing list