('binary' encoding is not supported, stored as-is) In-Reply-To: <3E57FDE3.9040502at_private> >you can do more than that. unless the web server uses suexec, all the >cgi's run as the webserver user, who most likely has: > >at least w to all log files for all vhosts (probably r+w) >at least r on all webhosting directories >at least r+x on all cgi-bin directories > >this is (and has been) a known issue for a while. it has periodically >been discussed on the apache mailing lists, and i think it came up on >bugtraq recently as well. There are ways to stop virtual hosted sites from having access to their neighbors or even having direct access to their own log files. This can be done through chroot, a sandbox, or jail. The problem is that all of these protection mechanisms breakdown if you inherit an open descriptor. The jail or sandbox would have to fstat thousands of file descriptors to see if they are open and close them before exec'ing the cgi. This is a performance hit and therefore unlikely. Apache 1.3.27 doesn't have this problem. Cheers, Steve Grubb
This archive was generated by hypermail 2b30 : Mon Feb 24 2003 - 13:22:14 PST