[users@httpd] mod_cgid socket permissions

Thu, 20 Oct 2016 02:12:17 -0700 

Hello,
I am running an apache 2.4 server (2.4.18-2ubuntu3.1) on Ubuntu 16.04 with mod_userdir, mod_suexec_custom, mod_cgid and php5.6-cgi. 


Users can place arbitrary documents and scripts in their userdirs and 
are not considered trusted, so should not be able to interfere with 
anything except their own scripts and should not be able to do anything 
other than have apache execute their scripts with their


https://httpd.apache.org/docs/2.4/mod/mod_cgid.html#scriptsock says:

The socket will be opened using the permissions of the user who starts Apache 
(usually root). To maintain the security of communications with CGI scripts, it 
is important that no other user has permission to write in the directory where 
the socket is located.



To make CGID work with suexec+userdir, I've had to change the socket to 
make it group-owned by www-data and with g+w set:



me@box:~$ ls -al /var/run/apache2/
total 4
drwxr-xr-x  2 root     root       80 Oct 20 09:09 .
drwxr-xr-x 25 root     root     1000 Oct 20 10:38 ..
-rw-r--r--  1 root     root        5 Oct 20 09:09 apache2.pid
srwx-w----  1 www-data www-data    0 Oct 20 09:09 cgisock.9822



I hacked up the init script to perform this, by adding the following to 
apache_wait_start:



for sockfile in /var/run/apache2/cgisock.*; do
        if [ -S "$sockfile" ]; then
                chown www-data:www-data /var/run/apache2/cgisock.*
                chmod g+w /var/run/apache2/cgisock.*
                break
        fi
done


This works because suexec apparently retains the www-data group membership.


(Here's the output of a php script that echos posix_getuid() and runs 
system('id -a'):



31524
uid=31524(erlacher) gid=20909(tumuser) 
groups=20909(tumuser),0(root),4(adm),33(www-data),108(syslog),5177(sambarbg),9044(rbg),14777(ljfs),16693(desktop)



Ignore the "root" group, that's part of my groups. Of course it would be 
nice to have suexec drop groups, but that's not a feature that exists...

)


Now, getting back to the statement in the apache docs: Is this a 
security violation / vulnerability? What can an attacker do with that 
socket other than execute arbitrary programs on the machine using their 
own permissions (plus www-data group)? They can already do that by 
virtue of being able to place arbitrary cgi scripts in their userdirs.


Thank you for any thoughts or pointers!

Best regards,
Luke




Attachment:
smime.p7s

Description: S/MIME Cryptographic Signature






















					Reply via email to