Bug#499191: Possible security issues
On Wednesday 04 February 2009, Alexander Prinsier wrote:
> > You are just considering pure web servers. On a machine that has
> > a web server running but is also used for other things, users'
> > home directories will contain many things that are not readable
> > by the user www-data. If you have some insecure cgi script that
> > allows to read arbitrary files, every local user would be able to
> > read ~/.ssh/id_rsa of every other local user. This is not
> > possible with the current, tighter suexec.
>
> I wasn't just considering web servers. On a shell server, regular
> users can't execute suexec (only www-data can). I'm only
> considering the case where www-data is a trusted user (as in,
> regular users can't execute things as www-data).
This limitation is trivial to bypass, see below.
> >> Because of that, I don't think there are many setups allowing
> >> script execution as www-data, but yes, in such a case there is a
> >> side-effect with my suggestion, that most admins would not
> >> suspect.
> >
> > It's rather easy to get such a setup:
> >
> > aptitude install apache2 libapache2-mod-php5
> > a2enmod userdir
> >
> > The default mod_php config allows it. Probably this should be
> > changed.
>
> Yeah I know. It's easy to setup, performant (no suexec overhead),
> but horrible security wise.
That's not what I meant. What I meant is that mod_php in the default
configuration allows the following:
User1 creates a script in /home/user1/public_html/cat.php with
contents:
<?php
passthru("cd /bin; /usr/lib/apache2/suexec user2 user2
cat /home/user2/.ssh/id_rsa");
then does "curl http://localhost/~user1/cat.php" and user1 has
executed suexec as user www-data, and suexec would in turn execute
cat as user2.
This does not actually work _only_ because suexec checks the docroot
and the owner of the executed program. Therefore it would be foolish
to remove both these checks.
But even if you only remove the owner check, you are still trusting
that it is safe if one user can exec everything in your docroot as
any other user. I don't think this is a good idea.
Cheers,
Stefan
Reply to: