Debian bug report logs - #21525
apache: suexec security problem

Package: apache; Severity: important; Reported by: <gorgo@passenger.telnet.hu>; dated Wed, 22 Apr 1998 12:48:02 GMT; Maintainer for apache is Johnie Ingram <johnie@debian.org>.

Message received at submit@bugs.debian.org:


Received: (at submit) by bugs.debian.org; 22 Apr 1998 12:37:36 +0000
Received: (qmail 30694 invoked from network); 22 Apr 1998 12:37:33 -0000
Received: from passenger.telnet.hu (gorgo@195.8.42.41)
  by debian.novare.net with SMTP; 22 Apr 1998 12:37:33 -0000
Received: (from gorgo@localhost)
	by passenger.telnet.hu (8.8.8/8.8.8/Debian/GNU) id OAA22621;
	Wed, 22 Apr 1998 14:36:53 +0200
Date: Wed, 22 Apr 1998 14:36:53 +0200
Message-Id: <199804221236.OAA22621@passenger.telnet.hu>
From: <gorgo@passenger.telnet.hu>
Subject: apache: suexec security problem
To: submit@bugs.debian.org
X-Mailer: bug 3.1.2

Package: apache
Version: 1.3b6-1
Severity: important

IIRC previous versions of apache refused to run when there were configuration
directives requiring suexec wrapper in httpd.conf while suexec was not
configured properly. 1.3b6 just gives a warning in error log. So if somehow
suexec lost its setuid bit, all the users' cgis would run with the webserver
privileges and noone would notice. This is a security risk. So I propose the 
following patch. Please forward it upstream.

--- http_core.c.save	Wed Apr 22 14:32:46 1998
+++ http_core.c	Wed Apr 22 14:34:11 1998
@@ -1346,8 +1346,9 @@
 	else {
 	    cmd->server->server_uid = ap_user_id;
 	    fprintf(stderr,
-		"Warning: User directive in <VirtualHost> "
+		"ERROR: User directive in <VirtualHost> "
 		"requires SUEXEC wrapper.\n");
+	    exit(1);	
 	}
     }
 #if !defined (BIG_SECURITY_HOLE) && !defined (__EMX__)
@@ -1380,7 +1381,8 @@
 	else {
 	    cmd->server->server_gid = ap_group_id;
 	    fprintf(stderr,
-		    "Warning: Group directive in <VirtualHost> requires SUEXEC wrapper.\n");
+		    "ERROR: Group directive in <VirtualHost> requires SUEXEC wrapper.\n");
+	    exit(1);
 	}
     }
 


-- System Information
Debian Release: 2.0 (frozen)
Kernel Version: Linux passenger 2.0.33 #3 Fri Apr 17 17:11:47 CEST 1998 alpha unknown

Versions of the packages apache depends on:
libc6.1	Version: 2.0.7pre1-4
libgdbmg1	Version: 1.7.3-24
mime-support	Version: 2.16-1
perl	Version: 5.004.04-5
base-passwd	Version: 2.0.3.2


Acknowledgement sent to <gorgo@passenger.telnet.hu>:
New bug report received and forwarded. Copy sent to Johnie Ingram <johnie@debian.org>. Full text available.
Report forwarded to debian-bugs-dist@lists.debian.org, Johnie Ingram <johnie@debian.org>:
Bug#21525; Package apache. Full text available.
Ian Jackson / owner@bugs.debian.org, through the Debian bug database
Last modified: 12:39:01 GMT Wed 29 Apr (timestamp page available).