From: Nilgun Belma Buguner Date: Tue, 23 Sep 2008 23:09:50 +0000 (+0000) Subject: pre-translation improvements X-Git-Tag: 2.0.64~123 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=09a5d427e872f02fbcf5eaa3eb8256ef978f1180;p=thirdparty%2Fapache%2Fhttpd.git pre-translation improvements git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.0.x@698397 13f79535-47bb-0310-9956-ffa450edef68 --- diff --git a/docs/manual/suexec.xml b/docs/manual/suexec.xml index 7c6a38f6369..946e7e3e117 100644 --- a/docs/manual/suexec.xml +++ b/docs/manual/suexec.xml @@ -29,7 +29,7 @@ Apache users the ability to run CGI and SSI programs under user IDs different from the user ID of the calling - web-server. Normally, when a CGI or SSI program executes, it + web server. Normally, when a CGI or SSI program executes, it runs as the same user who is running the web server.

Used properly, this feature can reduce @@ -115,7 +115,7 @@

  1. Is the user executing this wrapper a valid user of - this system? + this system?

    This is to ensure that the user executing the wrapper is @@ -125,7 +125,7 @@

  2. Was the wrapper called with the proper number of - arguments? + arguments?

    The wrapper will only execute if it is given the proper @@ -139,7 +139,7 @@

  3. Is this valid user allowed to run the - wrapper? + wrapper?

    Is this user the user allowed to run this wrapper? Only @@ -150,7 +150,7 @@

  4. Does the target CGI or SSI program have an unsafe - hierarchical reference? + hierarchical reference?

    Does the target CGI or SSI program's path contain a leading @@ -162,7 +162,7 @@

  5. - Is the target user name valid? + Is the target user name valid?

    Does the target user exist? @@ -170,7 +170,7 @@

  6. - Is the target group name valid? + Is the target group name valid?

    Does the target group exist? @@ -189,7 +189,7 @@

  7. Is the target userid ABOVE the minimum ID - number? + number?

    The minimum user ID number is specified during @@ -201,7 +201,7 @@

  8. Is the target group NOT the superuser - group? + group?

    Presently, suEXEC does not allow the root @@ -211,7 +211,7 @@

  9. Is the target groupid ABOVE the minimum ID - number? + number?

    The minimum group ID number is specified during @@ -223,7 +223,7 @@

  10. Can the wrapper successfully become the target user - and group? + and group?

    Here is where the program becomes the target user and @@ -245,12 +245,13 @@

  11. Is the directory within the Apache - webspace? + webspace?

    If the request is for a regular portion of the server, is the requested directory within suEXEC's document root? If - the request is for a UserDir, is the requested directory + the request is for a UserDir, is the requested directory within the directory configured as suEXEC's userdir (see suEXEC's configuration options)?

    @@ -258,7 +259,7 @@
  12. Is the directory NOT writable by anyone - else? + else?

    We don't want to open up the directory to others; only @@ -268,7 +269,7 @@

  13. - Does the target CGI/SSI program exist? + Does the target CGI/SSI program exist?

    If it doesn't exists, it can't very well be executed. @@ -277,7 +278,7 @@

  14. Is the target CGI/SSI program NOT writable - by anyone else? + by anyone else?

    We don't want to give anyone other than the owner the @@ -287,7 +288,7 @@

  15. Is the target CGI/SSI program NOT setuid or - setgid? + setgid?

    We do not want to execute programs that will then change @@ -297,7 +298,7 @@

  16. Is the target user/group the same as the program's - user/group? + user/group?

    Is the user the owner of the file? @@ -306,7 +307,7 @@

  17. Can we successfully clean the process environment - to ensure safe operations? + to ensure safe operations?

    suEXEC cleans the process' environment by establishing a @@ -319,7 +320,7 @@

  18. Can we successfully become the target CGI/SSI program - and execute? + and execute?

    Here is where suEXEC ends and the target CGI/SSI program begins. @@ -378,13 +379,15 @@ directories where suEXEC access should be allowed. All executables under this directory will be executable by suEXEC as the user so they should be "safe" programs. If you are - using a "simple" UserDir directive (ie. one without a "*" in - it) this should be set to the same value. suEXEC will not - work properly in cases where the UserDir directive points to + using a "simple" UserDir + directive (ie. one without a "*" in it) this should be set to the same + value. suEXEC will not work properly in cases where the UserDir directive points to a location that is not the same as the user's home directory - as referenced in the passwd file. Default value is - "public_html".
    - If you have virtual hosts with a different UserDir for each, + as referenced in the passwd file. Default value is + "public_html".
    + If you have virtual hosts with a different UserDir for each, you will need to define them to all reside in one parent directory; then name that parent directory here. If this is not defined properly, "~userdir" cgi requests will @@ -393,12 +396,13 @@

    --with-suexec-docroot=DIR
    Define as the DocumentRoot set for Apache. This will be - the only hierarchy (aside from UserDirs) that can be used for - suEXEC behavior. The default directory is the --datadir - value with the suffix "/htdocs", e.g. if you configure - with "--datadir=/home/apache" the directory - "/home/apache/htdocs" is used as document root for the suEXEC - wrapper.
    + the only hierarchy (aside from UserDirs) that can be used for suEXEC behavior. The + default directory is the --datadir value with the suffix + "/htdocs", e.g. if you configure with + "--datadir=/home/apache" the directory + "/home/apache/htdocs" is used as document root for the + suEXEC wrapper.
    --with-suexec-uidmin=UID
    @@ -417,63 +421,71 @@
    This defines the filename to which all suEXEC transactions and errors are logged (useful for auditing and debugging purposes). By default the logfile is named - "suexec_log" and located in your standard logfile directory - (--logfiledir).
    + "suexec_log" and located in your standard logfile + directory (--logfiledir).
    --with-suexec-safepath=PATH
    Define a safe PATH environment to pass to CGI executables. Default value is - "/usr/local/bin:/usr/bin:/bin".
    + "/usr/local/bin:/usr/bin:/bin". -

    Compiling and installing the suEXEC - wrapper
    - If you have enabled the suEXEC feature with the - --enable-suexec option the suexec binary - (together with Apache itself) is automatically built if you execute - the make command.
    - After all components have been built you can execute the - command make install to install them. The binary image - suexec is installed in the directory defined by the - --sbindir option. The default location is - "/usr/local/apache2/bin/suexec".
    - Please note that you need root - privileges for the installation step. In order - for the wrapper to set the user ID, it must be installed as - owner root and must have the setuserid - execution bit set for file modes.

    - -

    Setting paranoid permissions
    - Although the suEXEC wrapper will check to ensure that its - caller is the correct user as specified with the - --with-suexec-caller configure - option, there is - always the possibility that a system or library call suEXEC uses - before this check may be exploitable on your system. To counter - this, and because it is best-practise in general, you should use - filesystem permissions to ensure that only the group Apache - runs as may execute suEXEC.

    - -

    If for example, your web-server is configured to run as:

    - - - User www
    - Group webgroup
    -     - -

    and suexec is installed at - "/usr/local/apache2/bin/suexec", you should run:

    - - - chgrp webgroup /usr/local/apache2/bin/suexec
    - chmod 4750 /usr/local/apache2/bin/suexec
    -     - -

    This will ensure that only the group Apache runs as can even - execute the suEXEC wrapper.

    +
    + Compiling and installing the suEXEC wrapper + +

    If you have enabled the suEXEC feature with the + --enable-suexec option the suexec binary + (together with Apache itself) is automatically built if you execute + the make command.

    + +

    After all components have been built you can execute the + command make install to install them. The binary image + suexec is installed in the directory defined by the + --sbindir option. The default location is + "/usr/local/apache2/bin/suexec".

    + +

    Please note that you need root + privileges for the installation step. In order + for the wrapper to set the user ID, it must be installed as + owner root and must have the setuserid + execution bit set for file modes.

    +
    + +
    + Setting paranoid permissions + +

    Although the suEXEC wrapper will check to ensure that its + caller is the correct user as specified with the + --with-suexec-caller configure + option, there is + always the possibility that a system or library call suEXEC uses + before this check may be exploitable on your system. To counter + this, and because it is best-practise in general, you should use + filesystem permissions to ensure that only the group Apache + runs as may execute suEXEC.

    + +

    If for example, your web server is configured to run as:

    + + + User www
    + Group webgroup
    +     + +

    and suexec is installed at + "/usr/local/apache2/bin/suexec", you should run:

    + + + chgrp webgroup /usr/local/apache2/bin/suexec
    + chmod 4750 /usr/local/apache2/bin/suexec
    +     + +

    This will ensure that only the group Apache runs as can even + execute the suEXEC wrapper.

    +
    +
    Enabling & Disabling suEXEC @@ -556,7 +568,7 @@
  19. suEXEC Points Of Interest
  20. - Hierarchy limitations + Hierarchy limitations

    For security and efficiency reasons, all suEXEC requests @@ -571,7 +583,7 @@

  21. - suEXEC's PATH environment variable + suEXEC's PATH environment variable

    This can be a dangerous thing to change. Make certain @@ -583,7 +595,7 @@

  22. - Altering the suEXEC code + Altering the suEXEC code

    Again, this can cause Big Trouble if you