Bug#21525: apache: suexec security problem

0 views
Skip to first unread message

go...@passenger.telnet.hu

unread,
Apr 22, 1998, 3:00:00 AM4/22/98
to

Package: apache
Version: 1.3b6-1
Severity: important

IIRC previous versions of apache refused to run when there were configuration
directives requiring suexec wrapper in httpd.conf while suexec was not
configured properly. 1.3b6 just gives a warning in error log. So if somehow
suexec lost its setuid bit, all the users' cgis would run with the webserver
privileges and noone would notice. This is a security risk. So I propose the
following patch. Please forward it upstream.

--- http_core.c.save Wed Apr 22 14:32:46 1998
+++ http_core.c Wed Apr 22 14:34:11 1998
@@ -1346,8 +1346,9 @@
else {
cmd->server->server_uid = ap_user_id;
fprintf(stderr,
- "Warning: User directive in <VirtualHost> "
+ "ERROR: User directive in <VirtualHost> "
"requires SUEXEC wrapper.\n");
+ exit(1);
}
}
#if !defined (BIG_SECURITY_HOLE) && !defined (__EMX__)
@@ -1380,7 +1381,8 @@
else {
cmd->server->server_gid = ap_group_id;
fprintf(stderr,
- "Warning: Group directive in <VirtualHost> requires SUEXEC wrapper.\n");
+ "ERROR: Group directive in <VirtualHost> requires SUEXEC wrapper.\n");
+ exit(1);
}
}


-- System Information
Debian Release: 2.0 (frozen)
Kernel Version: Linux passenger 2.0.33 #3 Fri Apr 17 17:11:47 CEST 1998 alpha unknown

Versions of the packages apache depends on:
libc6.1 Version: 2.0.7pre1-4
libgdbmg1 Version: 1.7.3-24
mime-support Version: 2.16-1
perl Version: 5.004.04-5
base-passwd Version: 2.0.3.2


--
To UNSUBSCRIBE, email to debian-bugs-...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listm...@lists.debian.org

Reply all
Reply to author
Forward
0 new messages