Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. Apache>
  3. Dev
WWW Form Bug Report: "cgi-bins executed as a random user id" on BSDI (fwd)
hartill at hyperreal
Nov 10, 1995, 3:34 PM
Post #1 of 6 (350 views)
Permalink
Is the use of "User" allowed in this way?
..looks dubious to me.


no ack sent.

Forwarded message:
> From nobody@hyperreal.com Fri Nov 10 11:45:00 1995
> Message-Id: <199511101944.LAA00881@taz.hyperreal.com>
> From: jnmoyne@lanminds.com
> To: apache-bugs%apache.org@organic.com
> Date: Fri Nov 10 11:44:53 1995
> Subject: WWW Form Bug Report: "cgi-bins executed as a random user id" on BSDI
>
> Submitter: jnmoyne@lanminds.com
> Operating system: BSDI, version:
> Extra Modules used: none
> URL exhibiting problem:
>
> Symptoms:
> --
> I have a bunch of virtual servers on the machine.
> For each </Virtual server> definition, I have a User line to define
> each virtual server to run with a different user id.
> This works fine for the documents, but cgi-bin scripts for that
> virtual server seem to be executed with a different User ID (it is
> really 'random', if the CGI script creates a file for example, the
> owner of the file is not the one defined for this virtual server).
>
> Each virtual server has it's own cgi-bin dir, logs, conf, etc...
>
> contact me if you need more information.
> --
>
> Backtrace:
> --
>
> --
>
Re: WWW Form Bug Report: "cgi-bins executed as a random user id" on BSDI (fwd) [ In reply to ]
randy at zyzzyva
Nov 10, 1995, 5:37 PM
Post #2 of 6 (342 views)
Permalink
>
>
> Is the use of "User" allowed in this way?
> ..looks dubious to me.
>
>

No, but it would be really cool if it did....
Re: WWW Form Bug Report: "cgi-bins executed as a random user id" on [ In reply to ]
ben at gonzo
Nov 11, 1995, 2:20 AM
Post #3 of 6 (344 views)
Permalink
>
> >
> >
> > Is the use of "User" allowed in this way?
> > ..looks dubious to me.
> >
> >
>
> No, but it would be really cool if it did....

To do this, Apache would have to do its listen/accept as root. This is
supposedly security risk, but since it can change user before reading anything
from the socket, it seems to me that the possibility of subversion is fairly
minimal.

Cheers,

Ben.

--
Ben Laurie Phone: +44 (181) 994 6435
Freelance Consultant Fax: +44 (181) 994 6472
and Technical Director Email: ben@algroup.co.uk
A.L. Digital Ltd,
London, England.
Re: WWW Form Bug Report: "cgi-bins executed as a random user id" on BSDI (fwd) [ In reply to ]
rst at ai
Nov 11, 1995, 11:17 AM
Post #4 of 6 (342 views)
Permalink
No, but it would be really cool if it did....

Unfortunately, it's really hard to implement. Basically, the problem is
that the server processes would have to run as root until they figured out
which user's permissions to adopt and then (if we want to keep the pre-forking
model of operation) switch back. This would make whatever security holes
might exist more dangerous (compromising root directly, rather than the www
dummy uid); the details are also somewhat less than portable, as we've been
through before.

rst
Re: WWW Form Bug Report: "cgi-bins executed as a random user id" on BSDI (fwd) [ In reply to ]
sameer at c2
Nov 11, 1995, 11:55 AM
Post #5 of 6 (343 views)
Permalink
A workaround, it seems, would just to run multiple servers
with different 'User' lines, and use the BindAddress command.


>
> No, but it would be really cool if it did....
>
> Unfortunately, it's really hard to implement. Basically, the problem is
> that the server processes would have to run as root until they figured out
> which user's permissions to adopt and then (if we want to keep the pre-forking
> model of operation) switch back. This would make whatever security holes
> might exist more dangerous (compromising root directly, rather than the www
> dummy uid); the details are also somewhat less than portable, as we've been
> through before.
>
> rst
>


--
sameer Voice: 510-601-9777
Community ConneXion FAX: 510-601-9734
The Internet Privacy Provider Dialin: 510-658-6376
http://www.c2.org (or login as "guest") sameer@c2.org
Re: WWW Form Bug Report: "cgi-bins executed as a random user id" on BSDI (fwd) [ In reply to ]
rst at ai
Nov 12, 1995, 10:05 AM
Post #6 of 6 (344 views)
Permalink
A workaround, it seems, would just to run multiple servers
with different 'User' lines, and use the BindAddress command.

Yep... in fact, this is the major reason left for using BindAddress at all
(just about everything else can be configured per virtual server).

rst

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal