[mpm-itk] mpm-itk feedback and questions

Bruccoleri, Robert (Ext) robert.bruccoleri at novartis.com
Tue May 20 16:00:49 CEST 2014

I ran strace on the httpd process and noted that the access of the file in question occurred before the setuid. I don't recall if the access was a stat call or an open call, but from strace, I could be certain it was the file referenced in the URL that initiated the execution of the request to httpd.

Robert Bruccoleri
robert.bruccoleri at novartis.com
Consultant for Novartis Institute for Biomedical Research
Congenomics, LLC
+1 609 902 8419

-----Original Message-----
From: mpm-itk [mailto:mpm-itk-bounces at err.no] On Behalf Of Steinar H. Gunderson
Sent: Tuesday, May 20, 2014 9:02 AM
To: mpm-itk at err.no
Subject: Re: [mpm-itk] mpm-itk feedback and questions

On Tue, May 20, 2014 at 12:42:46PM +0000, Bruccoleri, Robert (Ext) wrote:
> Unfortunately, the code first attempted to access the protected files 
> as the apache user, and then it issued the setuid system call to 
> change the server's UID. Obviously, this is the wrong order. The 
> setuid call should happen first, before the files are accessed.

This sounds very odd. On what do you base this analysis, and what precisely do you mean by “access”?

/* Steinar */
Homepage: http://www.sesse.net/

mpm-itk mailing list
mpm-itk at err.no

More information about the mpm-itk mailing list