View Single Post
  #1  
Old 21st October 2009, 19:53
xerc xerc is offline
Junior Member
 
Join Date: Oct 2009
Posts: 10
Thanks: 0
Thanked 0 Times in 0 Posts
Exclamation suexec allows deleting files which owner is root

Hi folks,

I used the Lenny Perfect Server Tutorial to install my server.
ISPConfig 3.0.1.5

I use php fastcgi in all sites. My problem was that php was not allowed to write to files in the docroot, even if owner and group are correct (webXX and clientXX), rights of all directories and files were 755. Then I tried 775, and suddenly php was allowed to write in the docroot.

"That's not so pretty" I thought, so I looked around and found suexec.
I didn't found a switch in ISPConfig to enable suexec, so I added it manually to my vhost for testing:

<VirtualHost *:80>
SuexecUserGroup web13 client4

Now php could write in the docroot with 755. "Nice" I thought. Until I tested it in the depth:

First problem:
-r--r--r-- 1 root root 54 2009-10-21 18:11 test.php

test.php can be executed, even if owner is root.

Second Problem:
test.php can delete files owned by root, even if I set owner of test.php to web13 and group to client4.

test.php:
PHP Code:
<?php
unlink
("deleteme");
?>
-r--r--r-- 1 web13 client4 54 2009-10-21 18:11 test.php
-r--r--r-- 1 root root 0 2009-10-21 19:44 deleteme

Deleting is always possible.

Why is this possible? I thought suexec would prevent something link this.

Third problem:
-rwsr-xr-- 1 root www-data 14K 2009-07-14 22:47 /usr/lib/apache2/suexec

In http://httpd.apache.org/docs/2.0/suexec.html I read that suexec has to be owned by apache, but here it is owned by root. If I change the owner to www-data, apache won't stat (no suexec wrapper found).

EDIT:
When I do "su web13" I stay root, but I get no error.
/var/log/sulog says:
SU 10/22 11:21 + pts/1 root-web13

Last edited by xerc; 22nd October 2009 at 11:37.
Reply With Quote
Sponsored Links