[Secure-testing-team] Bug#743483: apache2-mpm-itk: AssignUserID is ignored in favor of file ownership.

Rens Houben shadur at tyson.systemec.nl
Thu Apr 3 10:01:02 UTC 2014 

Package: apache2-mpm-itk
Version: 2.2.22-13+deb7u1
Severity: grave
Tags: security
Justification: user security hole

Dear Maintainer,

I was setting up a new webhosting server using the latest Wheezy version, 
and in particular moving away from suexec/fcgid and to mpm-itk for performance
reasons. During one of the tests with a php script containing just the line 

<?php print get_current_user() ?>

I was shocked to discover that the return value was 'root' rather than 
'testclient' because I'd created the file as root ('testclient' doesn't get 
a shell login) and the script's UID was set to the file owner rather than the
explicitly stated AssignUserID testclient webclients.

I ran a second test, this time placing the script in /var/www and adding 

'AssignUserID www-data www-data' to /etc/apache2/sites-enabled/000-default,
and observed the same behavior.

I'm breaking my head over whether I might have made a mistake during 
configuration, but this is a near-pristine server setup -- and either I've 
done something very badly wrong or this is a serious security problem with
mpm-itk, especially if someone can write a script in their webhosting docroot
and then chown it to root.



-- Package-specific info:
List of enabled modules from 'apache2 -M':
  alias auth_basic authn_file authz_default authz_groupfile
  authz_host authz_user autoindex cgi deflate dir env evasive20 mime
  negotiation php5 reqtimeout setenvif status
List of enabled php5 extensions:
  memcached pdo

-- System Information:
Debian Release: 7.4
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 3.13-0.bpo.1-amd64 (SMP w/1 CPU core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages apache2-mpm-itk depends on:
ii  apache2.2-bin     2.2.22-13+deb7u1
ii  apache2.2-common  2.2.22-13+deb7u1

apache2-mpm-itk recommends no packages.

apache2-mpm-itk suggests no packages.

-- no debconf information
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 000-default
Type: inode/symlink
Size: 752 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20140403/3d552235/attachment.bin>

More information about the Secure-testing-team mailing list