Knowledgebase

suEXEC (mod_fcgi) security

Posted by Springy1, 06-24-2011, 10:00 AM
Hi All, Quick question that probably applies across the board. suPHP will only run scripts that are owned by the account owner. How come mod_fcgid with suEXEC, when running as the account owner, is able to run scripts NOT owned by the account owner? The suEXEC security model says: 18. Is the target user/group the same as the program's user/group? This seems to imply it should have the same behaviour as suPHP, but it doesn't. This is tested with a generic phpinfo(); test php page.
Posted by YUPAPA, 06-24-2011, 11:17 AM
The security model is still valid. If you install a plain apache and mod_fcgid and set FCGIWrapper directly to /usr/bin/php, then you try to execute a php script as a normal user and that php binary is owned by root, it won't let you. And thus, the long-winded way is to make a fcgid script owned by that normal user which then calls (exec) the php binary.
Posted by Springy1, 06-24-2011, 01:33 PM
Hmmm interesting. I wonder if I have a mis-configuration then. My FCGIWrapper directive points at a php-wrapper which calls /usr/bin/php-cgi. This wrapper is owned by the user (both owner/group). The php process runs as the user, and the suexec log shows the users uid/guid correctly executing the php-wrapper. Yet I can still run files owned by root and anyone else if the file has readable permissions for anyone (eg 644). Is it definately the case that suEXEC shouldn't be able to do this?
Posted by YUPAPA, 06-25-2011, 11:46 AM
I have just tested this for you on a VM and I am getting the security issue. Here is what I have: And that would print an 500 internal server error. If I change the line FCGIWrapper to /home/user/php.fcgi, it would work Yep, unless someone patch the apache source code and bypass the security check for the sake of convenience.
Posted by lovelycesar, 06-30-2011, 06:15 AM
Personally I prefer Debian with libapache2-mod-suphp as its easy configuration of suphp.


Was this answer helpful?

Add to Favourites Add to Favourites

Print this Article Print this Article
Also Read
help with google aps @ name.com (Views: 568)
Cisco PIX 501 User License (Views: 568)
OneFusion vs EarHost (Views: 604)
Feedback about ReliableServers Support (Views: 633)
Need a server - i7-4790K or i7-7700k or i7-6700k (Views: 655)


Language:

Client Menu

 

Client Login

Email

Password

Remember Me

Search



  
 

Clients

Hosting

VPS Hosting

About Us

Contact Us

Copyright © 2015 DC International LLC in partnership with Bragin IT Solutions Inc. - All Rights Reserved.