another question on apache 2.2.4 / 2.2.6 and suexec

Discuss usability issues, general maintenance, and general support issues for a grsecurity-enabled system.

another question on apache 2.2.4 / 2.2.6 and suexec

Postby pwadas » Mon Sep 10, 2007 4:31 pm

Hello,
I use some cgi with apache suexec module.
As you probably know, suexec module actually
works with suid bit of the root-owned binary "suexec".

It means, that while changing the effective user,
apache actually use root privileges to get into the
final user - if cgi process is going to work as "john",
apache first become root and then drop root privileges
to become "john".

The question is: how would role transitions roll in such process?
If apache is running as "www-data", the policy for www-data
and /usr/sbin/apache2 should probably allow transition to "root" (to be able to execute SUID'ed "suexec" binary). Then, policy for "root"
and /usr/lib/apache2/suexec should probably allow transition
to the final user.
Do I understand the concept in appropriate way?

Regards,
Piotr
pwadas
 
Posts: 5
Joined: Sat Sep 08, 2007 4:28 pm

Return to grsecurity support

cron