On Wed, 1 Aug 2001, Olaf Bohlen wrote: > But: no user (except root) should be able to gain access to nobody. so As another posting indicated and what I have seen on many, many systems, webservers often run CGIs as nobody -- so, in fact, everybody is nobody. (Or in other words, it is easy for many users to gain access to nobody.) > this is not a security hole imho. This Slackware locatedb vulnerability is a perfect example to counter your reasoning. "No privileges" is the purpose of user nobody. I believe it is usually assumed that files shouldn't be owned by nobody. It is assumed that if your nobody-running tool is exploited that it should not be able to take advantage of anything else. If some tool running as nobody is exploited, it still should have no privileges (like write access to some other nobody-owned file). > Also if you run apache-cgi's as user, apache chowns to the owner of the > cgi before executing it: This depends on how it is configured. My apache configurations don't look at the owner of a CGI file and then setuid to that particular user before running it. In fact, if you use suexec, then it purposely does not run a CGI if its owner is different (because it is considered a security problem). Jeremy C. Reed http://www.reedmedia.net/ http://www.isp-faq.com/
This archive was generated by hypermail 2b30 : Wed Aug 01 2001 - 16:32:12 PDT