I'm looking to get feedback from one of two possible changes to suexec (yes I know probably the worst thing to suggest changes to). :)
Both changes hope to mitigate the problem with kernels without ACL support at the filesystem, on a multi-customer web server. All site files have global read rights, and combined with CGI support, provides a mechanism to gain information and even content on site configuration, code, and material not intended for public access through simple file-system browsing and reading. Also, if there is a solution/work-around to this then please let me know, and I'll walk away with my head between my legs :) Possible Change 1 ----------------- Adding a build time option or apache configuration directive that enables chroot'ing to the users home directory (that is being switched to). This would be done near the end of suexec's execution, after changing to the users uid & gid. Possible Change 2 ----------------- Rather then just switching to the users uid & gid, it would additionally launch their shell, passing to it the command to execute. I realize there are implications here since each shell takes a command to execute differently, and I'm not entirely sure that all do (although all that I'm aware of do it in a similar manner). The goal being that it may be a normal shell, or possibly jail the user itself. It also has the benefit that it will perform any environment setup and/or other actions that are set as policy for that user. This option would also be a configuration option at compile time, or an apache directive. Input, problems, feasibility, security issues on both are requested. If it is deemed acceptable I'll make the necessary patch and submit that.
