Re: [OT] security!

2001-03-01 Thread Andrew Ho 

Hello,

GRBy looking the way modperl works today, it's clearly it were not
GRdesgined to SECURELY support a multi-user environment. For instance: Any
GRuser can write a script that will be able to read any file owned by the
GRhttpd server, in a multi-user environment it should not be allowed.

This is a general Unix webserver issue and not specific to mod_perl, so
I've marked your message [OT] for off-topic.

You cannot easily avoid this problem in general.
(1) HTTP requests can come from anybody.
(2) All HTTP requests are serviced by the same webserver.
(3) The webserver needs to be able to read and execute scripts.

Therefore, in general if untrusted users can write webserver executed
scripts, they can read anything the webserver can.

GRA gentle way to prevent this would be not to allow a script read a file
GRwhose owner id is not the same from the script owner id, isn't it?

This is fine, but you're talking about revamping Unix permissions here,
not at the webserver level. The webserver cannot enforce this condition
because the webserver only runs the script, it is not the OS that the
script runs on.

GRAnother problem: process creation should be wrapped by apache suexec
GRmechanism, is it currently done this way? Why not?

This could help sidestep the issue. It is not done this way by default,
because even using suexec doesn't automatically make your scripts secure,
and in fact it can make the situation worse.

GRMay some here confirm me that if i am a security concious admin, i
GRshould not make modperl+embperl available to my user?

If you are a security conscious admin, and you cannot trust your users,
you should not make mod_perl available to them. In fact you should not
make any dynamic HTTP functionality available to them--CGI, ISAPI,
FastCGI, or anything else.

Humbly,

Andrew

--
Andrew Ho   http://www.tellme.com/   [EMAIL PROTECTED]
Engineer   [EMAIL PROTECTED]  Voice 650-930-9062
Tellme Networks, Inc.   1-800-555-TELLFax 650-930-9101
--

[OT - Security] Linux vulnerability

2000-06-10 Thread Ged Haywood 

Hi all,

I thought this might be of interest to Apache users running Linux.

 A vulnerability in some versions of Linux has recently been
 identified.
 
 SYSTEMS AFFECTED
 
   Linux kernel versions 2.2.x before 2.2.16
   (2.0.x are safe; 2.2.16 is safe)
 
 IMPACT
 
   Any local user can gain root privileges   
 
 TO FIX
 
   Upgrade to kernel 2.2.16
 
 REFERENCES
 
   Postings regarding the vulnerability to BUGTRAQ:
 
 
 http://www.securityfocus.com/templates/archive.pike?list=1date=2000-06-01m
 [EMAIL PROTECTED]
 
 http://www.securityfocus.com/templates/archive.pike?list=1date=2000-06-01m
 sg=070b01bfd0cd$95b678e0$[EMAIL PROTECTED]
 
 http://www.securityfocus.com/templates/archive.pike?list=1date=2000-06-01m
 [EMAIL PROTECTED]
 
   Source for Linux kernel version 2.2.16:
 
 http://www.kernel.org/pub/linux/kernel/v2.2/linux-2.2.16.tar.gz
 
 NOTES
 
   Don't be confused by the references to Sendmail in the descriptions
   of the bug - its role in this vulnerability is incidental and other
   setuid programs may be usable in a similar way.
 
 

73,
Ged.

Re: [OT - Security] Linux vulnerability

2000-06-10 Thread Matt Sergeant 

On Sat, 10 Jun 2000, Ged Haywood wrote:

 Hi all,
 
 I thought this might be of interest to Apache users running Linux.

[snip]

Note that this is not a vulnerability that Apache/Linux suffers from
particularly, except in the case of a mod_perl or CGI exploit that allows
the user to get a local account on the machine, in which case he/she can
"upgrade" that account to root using this exploit.

Of course you should probably say "to hell with my 90+ days uptime" and
upgrade anyway ;-)

-- 
Matt/

Fastnet Software Ltd. High Performance Web Specialists
Providing mod_perl, XML, Sybase and Oracle solutions
Email for training and consultancy availability.
http://sergeant.org http://xml.sergeant.org