-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I've noticed something weird when using Apache and the suexec wrapper. Suexec is supposed not to change uid/gid to to anything less than minuid/mingid. This is not so true. Suppose we have mingid==100 and a user with gid==0 which belongs to groups 123,234,345. Suexec will no execute and script for this user. Now suppose we have the same user with gid==123 which belongs to groups0 ,234,345. Suexec will execute any cgi without problem. The running cgi will be a member of all those groups. This can be tested by simply running a shell script which calls id. I've found http://bugs.apache.org/index.cgi/full/1001 dated Sat Aug 16 13:39:01 1997. This is known for a long time but there is nothing done. At least there should be a note in the docs. I don't think that there exist a case where having gid<mingid is insecure, but being a member of a group with gid<mingid is secure. <<V13>> -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE71eP1beTfnxxoC7oRAnfJAJ93brLvwrkOoyr4IZBzg0rAFFnEdACePPhZ brpjfoY3/ek04hP8TdBbGqU= =tAt7 -----END PGP SIGNATURE-----
This archive was generated by hypermail 2b30 : Tue Oct 23 2001 - 21:36:47 PDT