Tags Tags

Bug#607755: apache2: suexec-custom does not allow docroot=/ (trailing slash gets removed)

December 21st, 2010 - 02:20 pm ET by Daniel Hahler | Report spam
Help Create a new topic
Package: apache2.2-common
Version: 2.2.16-1
Severity: normal

I want to use suexec-custom for a setup using mod_chroot, and therefore
want/have to use a DocumentRoot of "/" (which is the root of the
chroot).

Unfortunately there appears to be a bug in
debian/patches/202_suexec-custom.dpatch, function read_line, where
trailing space and slash get removed.
A trainling slash should not get removed here if it is the only char
(and refers to the root directory).

Thanks.

List of /etc/apache2/mods-enabled/*.load:
actions alias auth_basic authn_file authz_default authz_groupfile
authz_host authz_user autoindex cgi deflate dir env expires fastcgi
headers mime negotiation php5 proxy proxy_http reqtimeout rewrite
setenvif ssl status userdir
List of enabled php5 extensions:
apc curl gd gmp mcrypt mysql mysqli pdo pdo_mysql

Debian Release: squeeze/sid
APT prefers maverick-updates
APT policy: (500, 'maverick-updates'), (500, 'maverick-security'), (500, 'maverick-proposed'), (500, 'maverick-backports'), (500, 'maverick'), (10, 'unstable')
Architecture: i386 (i686)

Kernel: Linux 2.6.36.2-blueyed (SMP w/2 CPU cores; PREEMPT)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages apache2 depends on:
ii apache2-mpm-prefork 2.2.16-1ubuntu3.1 Apache HTTP Server - traditional n
ii apache2.2-common 2.2.16-1ubuntu3.1 Apache HTTP Server common files

apache2 recommends no packages.

apache2 suggests no packages.

Versions of packages apache2.2-common depends on:
ii apache2-utils 2.2.16-1ubuntu3.1 utility programs for webservers
ii apache2.2-bin 2.2.16-1ubuntu3.1 Apache HTTP Server common binary f
ii libmagic1 5.03-5ubuntu1 File type determination library us
ii lsb-base 4.0-0ubuntu8 Linux Standard Base 4.0 init scrip
ii mime-support 3.48-1ubuntu2 MIME files 'mime.types' & 'mailcap
ii perl 5.10.1-12ubuntu2 Larry Wall's Practical Extraction
ii procps 1:3.2.8-9ubuntu3 /proc file system utilities




To UNSUBSCRIBE, email to debian-bugs-dist-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
email Follow the discussionReplies 2 repliesReplies Make a reply

Replies

#1 Stefan Fritsch
December 21st, 2010 - 03:00 pm ET | Report spam
tags 607755 wontfix
thanks

On Tuesday 21 December 2010, Daniel Hahler wrote:
I want to use suexec-custom for a setup using mod_chroot, and
therefore want/have to use a DocumentRoot of "/" (which is the
root of the chroot).

Unfortunately there appears to be a bug in
debian/patches/202_suexec-custom.dpatch, function read_line, where
trailing space and slash get removed.
A trainling slash should not get removed here if it is the only
char (and refers to the root directory).



This is not a bug, but intentional (see the suexec man page in the
apache2-suexec-custom package). Setting the docroot setting of suexec
to / introduces a local privilege escalation vulnerability (at least
in a non-chrooted environment). Therefore I will not lift this
restriction.

However, I do invite you to discuss with me on the debian-apache
mailing list how a reasonable chroot setup could look like. The result
could then be documented on [1] and maybe be included in README.Debian
in a future version.

I think for simple setups without cgi/fastcgi/..., the built-in
chrootdir directive should simply work (i.e. ChrootDir /var/www).

For more complicated setups, it may be better to have something like
this: The chroot in e.g. /srv/www, the html data in /srv/www/var/www,
the DocumentRoot setting in Apache as /var/www. The real /var/www
outside the chroot then must be a symlink to /srv/www/var/www.
With such a setup, you can copy stuff into the chroot in a way that
all paths are identical inside and outside of the chroot. If your
webapp has some configuration data e.g. in /etc/webapp, make that a
symlink to /srv/www/etc/webapp and put the files there.

Does this sound like it could work for you?

[1] http://wiki.debian.org/Apache/Hardening



To UNSUBSCRIBE, email to
with a subject of "unsubscribe". Trouble? Contact

Similar topics

Make your own search :