Get APLawrence.com by RSS2005/05/12 suexec
-r-s--x--- 2 root apache 18832 Jan 28 01:31 /usr/sbin/suexec
This is an Apache helper program. Its purpose is to allow a web site to let individual users execute cgi-bin programs for their sub-site without jeopardizing the security of other users. As you can see above, it is set-uid root, but can only be executed by the apache group. There's more to it though: the binary has been compiled with the apache username specified and it will ONLY work when the user apache is the caller.
It has to be setuid root so that it can in turn assume the ordinary user's id while executing the cgi script. What we have is Apache, not running as root, using this setuid binary to become root just long enough to become the user who's script is about to be executed. That means that the ultimate cgi script can only do things that the individual user could do anyway - it's not running as root or as apache.
But a setuid script owned by root could be dangerous. If anyone could
run suexec, anyone could do anything they like. You'd have no security
at all. So the apache id is compiled in, and it checks itself against
that. It also checks that it has been properly invoked, which
is something the man page doesn't tell you how to do. The
docs explain:
The wrapper will only execute if it is given the proper number of
arguments. The proper argument format is known to the Apache web
server. If the wrapper is not receiving the proper number of
arguments, it is either being hacked, or there is something wrong
with the suEXEC portion of your Apache binary.
And there are more checks. The binary itself does all the checking it can to avoid being a tool which someone could use to thwart the intended security.
Apparently earlier versions had some Pam support, but it looks like that has been removed:
http://lists.debian.org/debian-apache/2004/08/msg00386.html.
Enter your email address for automatic notification of new posts here
(be sure to whitelist 'feedburner.com' if you use spam filtering)
| Views for this page | ||||
|---|---|---|---|---|
| Today | This Week | This Month | This Year | Overall |
| 2 | 2 | 25 | 371 | 1,544 |
Have you tried Searching this site?
Unix/Linux/Mac OS X support by phone, email or on-site: Support Rates
This is a Unix/Linux resource website. It contains technical articles about Unix, Linux and general computing related subjects, opinion, news, help files, how-to's, tutorials and more. We appreciate comments and article submissions.
SCO, OpenServer, UnixWare, software, servers, security, networks, installation, administration, troubleshooting, maintenance, Watchguard, firewalls, VPNs, e-mail. Visit us at http://opensystemscomputing.com and www.go2unix.com.
http://www.vss3.com SCO/Caldera OpenServer, Unixware & Linux. Tarantella & Non-stop Clustering
http://www.cleverminds.net Need expert advice? Want a second opinion? CleverMinds is a one-stop-shop for a wide range of technology solutions. We support Unix, Linux, SCO as well as CMS, ecom, blogs, podcasts, search engines consulting and more. Contact us at web2.0@cleverminds.net 0r (617) 894-1282
- Nov 23 13:01
I need coffee before I will even open the door, never mind go out there. That's completely non-negotiable, by the way. - Nov 23 12:56
It's COLD and my wife wants us to go work in the yard. Do you think I can have her arrested for cruelty? Probably not as she's going too.
Related Posts
Add your comments