Hi, On Mon, 24 Feb 2003, David M. Wilson wrote: > On Sat, Feb 22, 2003 at 02:46:59PM -0800, jon schatz wrote: [snipp] > Ideal permissions on CGI directories do not differ to the permissions on > other content directories. I think you may be confused as to what > execute permission actually means: the point about leaked file descriptors is not about execute permissions. Apache 2.0 currently execs cgi scripts / server side includes etc... with file descriptors open to all access and error logs on the server and also to a couple of internal pipes. This means any cgi script can muck around with all access and error logs, read them, truncate them, overwrite them or append funny stuff. There is a bug in apache 2.0 that prevents closing of these internal resources before running the cgi's. Thats all. And thats enough ... Greetings Christian -- CK Software GmbH Christian Kratzer, Schwarzwaldstr. 31, 71131 Jettingen Email: ckat_private Phone: +49 7452 889-135 Open Software Solutions, Network Security Fax: +49 7452 889-136 FreeBSD spoken here!
This archive was generated by hypermail 2b30 : Tue Feb 25 2003 - 09:19:16 PST