[Secure-testing-team] Bug#618857: apache2-mpm-itk: if you do not assign a user ID, the default one from Apache is _NOT_ used.

Samuel Montosa samuel at dameuntoque.com
Sat Mar 19 00:05:43 UTC 2011 

Package: apache2-mpm-itk
Version: 2.2.16-6
Severity: critical
Tags: security
Justification: root security hole


As far I tested, versions prior to 'squeeze', apache/itk behavior was as
claimed at http://mpm-itk.sesse.net/

"
AssignUserID: Takes two parameters, uid and gid (or really, user name
and group name); specifies what uid and gid the vhost will run as (after
parsing the request etc., of course).

_________Note that if you do not assign a user ID, the default one from
Apache will be used._____________
"

On 'squeeze', if user ID is not assigned by AssignUserID at VirtualHost,
default ID will be __root__. User and Group directives from Apache will
be ignored.

To temporary solve this, I added this line between IfModule and
/IfModule lines, at "Section 1: Global Environment" at apache2.conf

# itk MPM
<IfModule mpm_itk_module>
    AssignUserId ${APACHE_RUN_USER} ${APACHE_RUN_GROUP}
</IfModule>



-- Package-specific info:
List of /etc/apache2/mods-enabled/*.load:
  actions alias auth_basic auth_digest authn_file authz_default
  authz_groupfile authz_host authz_user autoindex cgi dav dav_fs
  dav_lock deflate dir env fcgid jk mime negotiation php5 python
  reqtimeout rewrite setenvif ssl status suexec
List of enabled php5 extensions:
  "eaccelerator curl gd imap mcrypt memcache mysql mysqli pdo
  pdo_mysql pdo_pgsql pgsql suhosin

-- System Information:
Debian Release: 6.0
  APT prefers stable
  APT policy: (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.34.6-xxxx-std-ipv6-64 (SMP w/2 CPU cores)
Locale: LANG=es_ES, LC_CTYPE=es_ES (charmap=ISO-8859-1)
Shell: /bin/sh linked to /bin/bash

Versions of packages apache2-mpm-itk depends on:
ii  apache2.2-bin                 2.2.16-6   Apache HTTP Server common binary f
ii  apache2.2-common              2.2.16-6   Apache HTTP Server common files

apache2-mpm-itk recommends no packages.

apache2-mpm-itk suggests no packages.

-- no debconf information

More information about the Secure-testing-team mailing list