another question on apache 2.2.4 / 2.2.6 and suexec
Posted: Mon Sep 10, 2007 4:31 pmHello,
I use some cgi with apache suexec module.
As you probably know, suexec module actually
works with suid bit of the root-owned binary "suexec".
It means, that while changing the effective user,
apache actually use root privileges to get into the
final user - if cgi process is going to work as "john",
apache first become root and then drop root privileges
to become "john".
The question is: how would role transitions roll in such process?
If apache is running as "www-data", the policy for www-data
and /usr/sbin/apache2 should probably allow transition to "root" (to be able to execute SUID'ed "suexec" binary). Then, policy for "root"
and /usr/lib/apache2/suexec should probably allow transition
to the final user.
Do I understand the concept in appropriate way?
Regards,
Piotr
I use some cgi with apache suexec module.
As you probably know, suexec module actually
works with suid bit of the root-owned binary "suexec".
It means, that while changing the effective user,
apache actually use root privileges to get into the
final user - if cgi process is going to work as "john",
apache first become root and then drop root privileges
to become "john".
The question is: how would role transitions roll in such process?
If apache is running as "www-data", the policy for www-data
and /usr/sbin/apache2 should probably allow transition to "root" (to be able to execute SUID'ed "suexec" binary). Then, policy for "root"
and /usr/lib/apache2/suexec should probably allow transition
to the final user.
Do I understand the concept in appropriate way?
Regards,
Piotr