Re: Apache suexec

From: Pavel Kankovsky (peakat_private)
Date: Fri Oct 26 2001 - 04:33:16 PDT

Next message: Pavel Kankovsky: "The two bugs in Linux kernel: an interesting analogy"

Previous message: Michael Wojcik: "another fatal bug in NT/2000 "Command Prompt" I/O"
In reply to: Stefanos Harhalakis: "Apache suexec"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Wed, 24 Oct 2001, Stefanos Harhalakis wrote:

>  Suppose we have mingid==100 and a user with gid==0 which belongs to groups 
> 123,234,345. Suexec will no execute and script for this user.
> 
>  Now suppose we have the same user with gid==123 which belongs to groups0 
> ,234,345. Suexec will execute any cgi without problem. The running cgi will 
> be a member of all those groups.

suexec does not check supplementary groups. It could do it but I do not
think it is a serious problem--the motivation behind the checks is to
avoid accidental invocation of CGI programs running under root or other
special accounts.

--Pavel Kankovsky aka Peak  [ Boycott Microsoft--http://www.vcnet.com/bms ]
"Resistance is futile. Open your source code and prepare for assimilation."

Next message: Pavel Kankovsky: "The two bugs in Linux kernel: an interesting analogy"
Previous message: Michael Wojcik: "another fatal bug in NT/2000 "Command Prompt" I/O"
In reply to: Stefanos Harhalakis: "Apache suexec"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Oct 26 2001 - 15:47:56 PDT