www/apache
1
0
Fork 0
mirror of https://github.com/apache/httpd.git synced 2026-01-06 09:01:14 +03:00
Code Activity

pre-translation improvements

Browse Source 
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@698389 13f79535-47bb-0310-9956-ffa450edef68
This commit is contained in:
Nilgun Belma Buguner
2008-09-23 22:58:56 +00:00
parent 1457f7207a
commit 9b3699e3b7
1 changed files with 88 additions and 76 deletions
Download Patch File Download Diff File Expand all files Collapse all files

164
docs/manual/suexec.xml
View File

@@ -115,7 +115,7 @@
<ol>
<li>
<strong>Is the user executing this wrapper a valid user of
this system?</strong>
this system?</strong>
<p class="indent">
This is to ensure that the user executing the wrapper is
@@ -125,7 +125,7 @@
<li>
<strong>Was the wrapper called with the proper number of
arguments?</strong>
arguments?</strong>
<p class="indent">
The wrapper will only execute if it is given the proper
@@ -139,7 +139,7 @@
<li>
<strong>Is this valid user allowed to run the
wrapper?</strong>
wrapper?</strong>
<p class="indent">
Is this user the user allowed to run this wrapper? Only
@@ -150,7 +150,7 @@
<li>
<strong>Does the target CGI or SSI program have an unsafe
hierarchical reference?</strong>
hierarchical reference?</strong>
<p class="indent">
Does the target CGI or SSI program's path contain a leading
@@ -162,7 +162,7 @@
</li>
<li>
<strong>Is the target user name valid?</strong>
<strong>Is the target user name valid?</strong>
<p class="indent">
Does the target user exist?
@@ -170,7 +170,7 @@
</li>
<li>
<strong>Is the target group name valid?</strong>
<strong>Is the target group name valid?</strong>
<p class="indent">
Does the target group exist?
@@ -189,7 +189,7 @@
<li>
<strong>Is the target userid <em>ABOVE</em> the minimum ID
number?</strong>
number?</strong>
<p class="indent">
The minimum user ID number is specified during
@@ -201,7 +201,7 @@
<li>
<strong>Is the target group <em>NOT</em> the superuser
group?</strong>
group?</strong>
<p class="indent">
Presently, suEXEC does not allow the <code><em>root</em></code>
@@ -211,7 +211,7 @@
<li>
<strong>Is the target groupid <em>ABOVE</em> the minimum ID
number?</strong>
number?</strong>
<p class="indent">
The minimum group ID number is specified during
@@ -223,7 +223,7 @@
<li>
<strong>Can the wrapper successfully become the target user
and group?</strong>
and group?</strong>
<p class="indent">
Here is where the program becomes the target user and
@@ -245,12 +245,13 @@
<li>
<strong>Is the directory within the Apache
webspace?</strong>
webspace?</strong>
<p class="indent">
If the request is for a regular portion of the server, is
the requested directory within suEXEC's document root? If
the request is for a UserDir, is the requested directory
the request is for a <directive module="mod_userdir"
>UserDir</directive>, is the requested directory
within the directory configured as suEXEC's userdir (see
<a href="#install">suEXEC's configuration options</a>)?
</p>
@@ -258,7 +259,7 @@
<li>
<strong>Is the directory <em>NOT</em> writable by anyone
else?</strong>
else?</strong>
<p class="indent">
We don't want to open up the directory to others; only
@@ -268,7 +269,7 @@
</li>
<li>
<strong>Does the target CGI/SSI program exist?</strong>
<strong>Does the target CGI/SSI program exist?</strong>
<p class="indent">
If it doesn't exists, it can't very well be executed.
@@ -277,7 +278,7 @@
<li>
<strong>Is the target CGI/SSI program <em>NOT</em> writable
by anyone else?</strong>
by anyone else?</strong>
<p class="indent">
We don't want to give anyone other than the owner the
@@ -287,7 +288,7 @@
<li>
<strong>Is the target CGI/SSI program <em>NOT</em> setuid or
setgid?</strong>
setgid?</strong>
<p class="indent">
We do not want to execute programs that will then change
@@ -297,7 +298,7 @@
<li>
<strong>Is the target user/group the same as the program's
user/group?</strong>
user/group?</strong>
<p class="indent">
Is the user the owner of the file?
@@ -306,7 +307,7 @@
<li>
<strong>Can we successfully clean the process environment
to ensure safe operations?</strong>
to ensure safe operations?</strong>
<p class="indent">
suEXEC cleans the process' environment by establishing a
@@ -319,7 +320,7 @@
<li>
<strong>Can we successfully become the target CGI/SSI program
and execute?</strong>
and execute?</strong>
<p class="indent">
Here is where suEXEC ends and the target CGI/SSI program begins.
@@ -378,13 +379,15 @@
directories where suEXEC access should be allowed. All
executables under this directory will be executable by suEXEC
as the user so they should be "safe" programs. If you are
using a "simple" UserDir directive (ie. one without a "*" in
it) this should be set to the same value. suEXEC will not
work properly in cases where the UserDir directive points to
using a "simple" <directive module="mod_userdir">UserDir</directive>
directive (ie. one without a "*" in it) this should be set to the same
value. suEXEC will not work properly in cases where the <directive
module="mod_userdir">UserDir</directive> directive points to
a location that is not the same as the user's home directory
as referenced in the passwd file. Default value is
"public_html".<br />
If you have virtual hosts with a different UserDir for each,
as referenced in the <code>passwd</code> file. Default value is
"<code>public_html</code>".<br />
If you have virtual hosts with a different <directive
module="mod_userdir">UserDir</directive> for each,
you will need to define them to all reside in one parent
directory; then name that parent directory here. <strong>If
this is not defined properly, "~userdir" cgi requests will
@@ -393,12 +396,13 @@
<dt><code>--with-suexec-docroot=<em>DIR</em></code></dt>
<dd>Define as the DocumentRoot set for Apache. This will be
the only hierarchy (aside from UserDirs) that can be used for
suEXEC behavior. The default directory is the <code>--datadir</code>
value with the suffix "/htdocs", <em>e.g.</em> if you configure
with "<code>--datadir=/home/apache</code>" the directory
"/home/apache/htdocs" is used as document root for the suEXEC
wrapper.</dd>
the only hierarchy (aside from <directive module="mod_userdir"
>UserDir</directive>s) that can be used for suEXEC behavior. The
default directory is the <code>--datadir</code> value with the suffix
"<code>/htdocs</code>", <em>e.g.</em> if you configure with
"<code>--datadir=/home/apache</code>" the directory
"<code>/home/apache/htdocs</code>" is used as document root for the
suEXEC wrapper.</dd>
<dt><code>--with-suexec-uidmin=<em>UID</em></code></dt>
@@ -417,63 +421,71 @@
<dd>This defines the filename to which all suEXEC
transactions and errors are logged (useful for auditing and
debugging purposes). By default the logfile is named
"suexec_log" and located in your standard logfile directory
(<code>--logfiledir</code>).</dd>
"<code>suexec_log</code>" and located in your standard logfile
directory (<code>--logfiledir</code>).</dd>
<dt><code>--with-suexec-safepath=<em>PATH</em></code></dt>
<dd>Define a safe PATH environment to pass to CGI
executables. Default value is
"/usr/local/bin:/usr/bin:/bin".</dd>
"<code>/usr/local/bin:/usr/bin:/bin</code>".</dd>
</dl>
<p><strong>Compiling and installing the suEXEC
wrapper</strong><br />
If you have enabled the suEXEC feature with the
<code>--enable-suexec</code> option the <code>suexec</code> binary
(together with Apache itself) is automatically built if you execute
the <code>make</code> command.<br />
After all components have been built you can execute the
command <code>make install</code> to install them. The binary image
<code>suexec</code> is installed in the directory defined by the
<code>--sbindir</code> option. The default location is
"/usr/local/apache2/bin/suexec".<br />
Please note that you need <strong><em>root
privileges</em></strong> for the installation step. In order
for the wrapper to set the user ID, it must be installed as
owner <code><em>root</em></code> and must have the setuserid
execution bit set for file modes.</p>
<section>
<title>Compiling and installing the suEXEC wrapper</title>
<p><strong>Setting paranoid permissions</strong><br />
Although the suEXEC wrapper will check to ensure that its
caller is the correct user as specified with the
<code>--with-suexec-caller</code> <program>configure</program>
option, there is
always the possibility that a system or library call suEXEC uses
before this check may be exploitable on your system. To counter
this, and because it is best-practise in general, you should use
filesystem permissions to ensure that only the group Apache
runs as may execute suEXEC.</p>
<p>If you have enabled the suEXEC feature with the
<code>--enable-suexec</code> option the <code>suexec</code> binary
(together with Apache itself) is automatically built if you execute
the <code>make</code> command.</p>
<p>If for example, your web server is configured to run as:</p>
<p>After all components have been built you can execute the
command <code>make install</code> to install them. The binary image
<code>suexec</code> is installed in the directory defined by the
<code>--sbindir</code> option. The default location is
"/usr/local/apache2/bin/suexec".</p>
<example>
User www<br />
Group webgroup<br />
</example>
<p>Please note that you need <strong><em>root
privileges</em></strong> for the installation step. In order
for the wrapper to set the user ID, it must be installed as
owner <code><em>root</em></code> and must have the setuserid
execution bit set for file modes.</p>
</section>
<p>and <program>suexec</program> is installed at
"/usr/local/apache2/bin/suexec", you should run:</p>
<section>
<title>Setting paranoid permissions</title>
<example>
chgrp webgroup /usr/local/apache2/bin/suexec<br />
chmod 4750 /usr/local/apache2/bin/suexec<br />
</example>
<p>Although the suEXEC wrapper will check to ensure that its
caller is the correct user as specified with the
<code>--with-suexec-caller</code> <program>configure</program>
option, there is
always the possibility that a system or library call suEXEC uses
before this check may be exploitable on your system. To counter
this, and because it is best-practise in general, you should use
filesystem permissions to ensure that only the group Apache
runs as may execute suEXEC.</p>
<p>This will ensure that only the group Apache runs as can even
execute the suEXEC wrapper.</p>
<p>If for example, your web server is configured to run as:</p>
<example>
User www<br />
Group webgroup<br />
</example>
<p>and <program>suexec</program> is installed at
"/usr/local/apache2/bin/suexec", you should run:</p>
<example>
chgrp webgroup /usr/local/apache2/bin/suexec<br />
chmod 4750 /usr/local/apache2/bin/suexec<br />
</example>
<p>This will ensure that only the group Apache runs as can even
execute the suEXEC wrapper.</p>
</section>
</section>
<section id="enable"><title>Enabling &amp; Disabling
suEXEC</title>
@@ -556,7 +568,7 @@
<li><strong>suEXEC Points Of Interest</strong></li>
<li>
Hierarchy limitations
Hierarchy limitations
<p class="indent">
For security and efficiency reasons, all suEXEC requests
@@ -571,7 +583,7 @@
</li>
<li>
suEXEC's PATH environment variable
suEXEC's PATH environment variable
<p class="indent">
This can be a dangerous thing to change. Make certain
@@ -583,7 +595,7 @@
</li>
<li>
Altering the suEXEC code
Altering the suEXEC code
<p class="indent">
Again, this can cause <strong>Big Trouble</strong> if you