Re: Apache 2.x leaked descriptors

From: David M. Wilson (dw-securityfocus.com@botanicus.net)
Date: 02/24/03

  • Next message: Seth Knox: "Re: Bypassing Personal Firewalls" 
    Date: Mon, 24 Feb 2003 00:46:56 +0000
From: "David M. Wilson" <dw-securityfocus.com@botanicus.net>
To: jon schatz <jon@divisionbyzero.com>

    On Sat, Feb 22, 2003 at 02:46:59PM -0800, jon schatz wrote:

    > you can do more than that. unless the web server uses suexec, all the
    > cgi's run as the webserver user, who most likely has:

    > at least w to all log files for all vhosts (probably r+w)

    Installations like this are few and far between, it is the equivilant of
    chmod 777 /etc/passwd. Apache opens log files while still root, so write
    permission granted to the lower-permission Apache user should rarely
    happen in a properly administered environment.

    > at least r on all webhosting directories

    In a properly administered environment (where directory indexes are not
    enabled) you will at best have execute premissions, leaving you the
    option of brute-forcing the names of files in webroots.

    This is true since if indexing is disabled (mod_autoindex is disabled or
    not compiled in, and no DirectoryIndex entry which points to an indexing
    script is specified), Apache never attempts to read a directory, it only
    needs to stat() and open() inside it to serve GET/HEAD/POST requests.

    > at least r+x on all cgi-bin directories

    Ideal permissions on CGI directories do not differ to the permissions on
    other content directories. I think you may be confused as to what
    execute permission actually means:

    Execute permission on a directory does not mean that its content is
    executable, but that a process may chdir() into that directory and
    access files by name inside that directory. Read permission on a
    directory means a process may list its contents via readdir(), or
    getdents(), etc.

    David.

    Relevant Pages

    • Re: applications, users, groups, permissions
      ... > When apache tries to serve a file it must have permission to access ... > application file access permission questions. ... To UNSUBSCRIBE, email to debian-user-REQUEST@xxxxxxxxxxxxxxxx with a subject of "unsubscribe". ...
      (Debian-User)
    • Re: File permissions for a wiki-like site
      ... A smart host will make users members of the group owned by the Apache ... which needs x permission). ... shell scripts. ...
      (comp.lang.php)
    • Re: [PHP] Permission denied when executing copy command in a PHPscript
      ... Does the error message mean that access is denied in the 'from' file ( ... could have changed the user running apache or dir perms. ... directory has a Linux permission of 755. ... the Apache user; just make the Apache user the owner of the directory, ...
      (php.general)
    • Re: x86 instructions guide
      ... Not a bad idea Frank, ... 00400 user has read permission ... 00070 group has read, write and execute permission ... Man pages claim eax is -1 and error number is in "errno". ...
      (alt.lang.asm)
    • Re: Please Help!!! I need help with iptables permission issue
      ... I have a HTML form with C++ CGI to enter IP ... | user which does not have permission for any of the tables. ... | either give permission to apache user or make my CGI run as the root. ... your apache userid to run the iptables command, ...
      (comp.os.linux.security)