id	summary	reporter	owner	description	type	status	priority	milestone	component	resolution	keywords	cc
60	Replace executable bit and binfmt_misc with Apache handlers	andersk		"Our AFS patch currently marks every file as executable.  This was done to allow the binfmt_misc hack to work for Perl, PHP, Python, and Mono scripts.  Previously binfmt_misc was also used for static content, until it became clear that this opens an exploitable security problem with MediaWiki uploads.

I believe the executable bit is still be a security danger (albeit not as immediately exploitable) because fundamentally, it defeats a suexec sanity check.  It should be harder for an attacker to put an executable file inside web_scripts than a normal file, so that an Apache compromise does not spread to other accounts via suexec.

We should be able to completely replace the executable bit+binfmt_misc hack with a solution based on Apache handlers.
 * I suspect Perl and Python don’t need special handlers at all (since Perl and Python programmers expect to need shebang lines), although we may need some kind of transition period to check whether users are relying on the executable bit.
 * We can wrap PHP in a handler that performs extra security checks, such as that the extension really is .php.  This handler could later grow into the FastCGI PHP proxy pony.  It could also solve #2.
 * Static content should also become a handler, so that users can add their own static extensions.
 * As for Mono, well, what the fuck.  (Maybe keep binfmt_misc but require explicit executable bits for that.)

The hardest problem is how to get these Apache handlers to run with the correct uid.  My last proposal was a FUSE filesystem that I have prototyped at /mit/andersk/Public/scripts/scriptswrapfs.c, but I’d be interested in better ideas."	defect	new	major		web