Date: Thu, 29 Apr 2004 17:13:13 +0000 From: Mikkel Christensen <mikkel@talkactive.net> To: freebsd-questions@freebsd.org Subject: Re: Suexec with Apache 1.3.29 Message-ID: <200404291713.13999.mikkel@talkactive.net> In-Reply-To: <6.0.0.22.0.20040429101444.0e68a6a0@pop.face2interface.com> References: <200404262126.36157.mikkel@talkactive.net> <200404291406.58150.mikkel@talkactive.net> <6.0.0.22.0.20040429101444.0e68a6a0@pop.face2interface.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thursday 29 April 2004 14:22, Marty Landman wrote: > At 10:06 AM 4/29/2004, Mikkel Christensen wrote: >=20 > >This seems extremely strange to me. >=20 > Why is it strange? The reason I kept trying to install suexec was because= =20 > until I did, the development environment I set up on my LAN could mirror= =20 > that on my real sites with the exception that all the files & directories= =20 > had to be given 777 or equivalent permissions. Otherwise with the user=20 > running my cgi's being nobody aka www or httpd files couldn't be written= =20 > to, created, deleted etc.. With the types of web apps I write this was=20 > becoming not only a royal pain, also a constant reminder to me that my=20 > local environment was as insecure as it could be; of course it's strictly= =20 > local so not a problem. Okay, I can see your point. But, I still find it annoying that suexec wont execute a script that is own= ed by a particular user if another user has group rights to the script. Eg I would like execution to be run under user1, both the User end Group. My idea is that if the file is owned by user1 and the file's group is www i= t would give more possibilities to the user for denying other users access. Eg. the user (user1) could deny other regular users on the server access by= s=E6tting chmod xx0. He could allow the webserver to read his files with chmod x4x and the give = execution, read and write rights to himself with chmod 7xx. Now he has to give the webserver the same rights as everybody else on the s= erver. This is a problem if he stores passwords in a php-script. Apache wil= l interpret it and therefore not let anyone se the source while other users= can read the content as they please. This seems to be more unsecure, or am I wrong? I get the idea that if other group members have access to the file they cou= ld potentially write their own content. Bus usually the group doen's have w= rite access to files. And also, no users are members of the www group by de= fault. >=20 > >But following theese rules it works as it should. >=20 > With suexec running, a cgi gets set to 744 or 700 instead of 755; a data= =20 > file e.g. log or count file gets 644 or 600 instead of 666. It's amazing = to=20 > me that more vandalism and cross site scripting doesn't occur given the=20 > servers that still don't run suexec, or the users that aren't hip to usin= g=20 > it properly for setting permissions when the server does support it. >=20 Can't argue with that:) =2D Mikkel
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200404291713.13999.mikkel>