Samuel Montosa
2011-Mar-19 00:05 UTC
[Secure-testing-team] Bug#618857: apache2-mpm-itk: if you do not assign a user ID, the default one from Apache is _NOT_ used.
Package: apache2-mpm-itk
Version: 2.2.16-6
Severity: critical
Tags: security
Justification: root security hole
As far I tested, versions prior to ''squeeze'', apache/itk
behavior was as
claimed at http://mpm-itk.sesse.net/
"
AssignUserID: Takes two parameters, uid and gid (or really, user name
and group name); specifies what uid and gid the vhost will run as (after
parsing the request etc., of course).
_________Note that if you do not assign a user ID, the default one from
Apache will be used._____________
"
On ''squeeze'', if user ID is not assigned by AssignUserID at
VirtualHost,
default ID will be __root__. User and Group directives from Apache will
be ignored.
To temporary solve this, I added this line between IfModule and
/IfModule lines, at "Section 1: Global Environment" at apache2.conf
# itk MPM
<IfModule mpm_itk_module>
AssignUserId ${APACHE_RUN_USER} ${APACHE_RUN_GROUP}
</IfModule>
-- Package-specific info:
List of /etc/apache2/mods-enabled/*.load:
actions alias auth_basic auth_digest authn_file authz_default
authz_groupfile authz_host authz_user autoindex cgi dav dav_fs
dav_lock deflate dir env fcgid jk mime negotiation php5 python
reqtimeout rewrite setenvif ssl status suexec
List of enabled php5 extensions:
"eaccelerator curl gd imap mcrypt memcache mysql mysqli pdo
pdo_mysql pdo_pgsql pgsql suhosin
-- System Information:
Debian Release: 6.0
APT prefers stable
APT policy: (500, ''stable'')
Architecture: amd64 (x86_64)
Kernel: Linux 2.6.34.6-xxxx-std-ipv6-64 (SMP w/2 CPU cores)
Locale: LANG=es_ES, LC_CTYPE=es_ES (charmap=ISO-8859-1)
Shell: /bin/sh linked to /bin/bash
Versions of packages apache2-mpm-itk depends on:
ii apache2.2-bin 2.2.16-6 Apache HTTP Server common binary f
ii apache2.2-common 2.2.16-6 Apache HTTP Server common files
apache2-mpm-itk recommends no packages.
apache2-mpm-itk suggests no packages.
-- no debconf information