Bug#499191: Possible security issues

To: Alexander Prinsier <aphexer@mailhaven.com>
Cc: 499191@bugs.debian.org
Subject: Bug#499191: Possible security issues
From: Stefan Fritsch <sf@sfritsch.de>
Date: Wed, 4 Feb 2009 20:31:03 +0100
Message-id: <[🔎] 200902042031.03682.sf@sfritsch.de>
Reply-to: Stefan Fritsch <sf@sfritsch.de>, 499191@bugs.debian.org
In-reply-to: <[🔎] 4988CE00.9030100@mailhaven.com>
References: <497AF449.1070600@mailhaven.com> <[🔎] 200902032312.17617.sf@sfritsch.de> <[🔎] 4988CE00.9030100@mailhaven.com>

On Wednesday 04 February 2009, Alexander Prinsier wrote:
> > You are just considering pure web servers. On a machine that has
> > a web server running but is also used for other things, users'
> > home directories will contain many things that are not readable
> > by the user www-data. If you have some insecure cgi script that
> > allows to read arbitrary files, every local user would be able to
> > read ~/.ssh/id_rsa of every other local user. This is not
> > possible with the current, tighter suexec.
>
> I wasn't just considering web servers. On a shell server, regular
> users can't execute suexec (only www-data can). I'm only
> considering the case where www-data is a trusted user (as in,
> regular users can't execute things as www-data).

This limitation is trivial to bypass, see below.

> >> Because of that, I don't think there are many setups allowing
> >> script execution as www-data, but yes, in such a case there is a
> >> side-effect with my suggestion, that most admins would not
> >> suspect.
> >
> > It's rather easy to get such a setup:
> >
> > aptitude install apache2 libapache2-mod-php5
> > a2enmod userdir
> >
> > The default mod_php config allows it. Probably this should be
> > changed.
>
> Yeah I know. It's easy to setup, performant (no suexec overhead),
> but horrible security wise.

That's not what I meant. What I meant is that mod_php in the default 
configuration allows the following:

User1 creates a script in /home/user1/public_html/cat.php with 
contents:

<?php
passthru("cd /bin; /usr/lib/apache2/suexec user2 user2 
cat /home/user2/.ssh/id_rsa");

then does "curl http://localhost/~user1/cat.php"; and user1 has 
executed suexec as user www-data, and suexec would in turn execute 
cat as user2.

This does not actually work _only_ because suexec checks the docroot 
and the owner of the executed program. Therefore it would be foolish 
to remove both these checks.

But even if you only remove the owner check, you are still trusting 
that it is safe if one user can exec everything in your docroot as 
any other user. I don't think this is a good idea.

Cheers,
Stefan

Reply to:

Follow-Ups:
- Bug#499191: Possible security issues
  - From: Alexander Prinsier <aphexer@mailhaven.com>

References:
- Bug#499191: Possible security issues
  - From: Stefan Fritsch <sf@sfritsch.de>
- Bug#499191: Possible security issues
  - From: Alexander Prinsier <aphexer@mailhaven.com>

Prev by Date: Bug#514123: [apache2] script_name inconsistency with Alias vs. AliasMatch
Next by Date: Bug#499191: Possible security issues
Previous by thread: Bug#499191: Possible security issues
Next by thread: Bug#499191: Possible security issues
Index(es):
- Date
- Thread