Received: by taz.hyperreal.com (8.6.12/8.6.5) id VAA02549;
 Mon, 11 Dec 1995 21:51:48 -0800
Received: from infinity.c2.org by taz.hyperreal.com (8.6.12/8.6.5) with ESMTP
 id VAA02516; Mon, 11 Dec 1995 21:51:05 -0800
Received: (from sameer@localhost) by infinity.c2.org (8.7.1/8.6.9)
	id VAA12237 for new-httpd@hyperreal.com;
 Mon, 11 Dec 1995 21:45:07 -0800 (PST)
	Community ConneXion: Privacy & Community: <URL:http://www.c2.org>
From: sameer <sameer@c2.org>
Message-Id: <199512120545.VAA12237@infinity.c2.org>
Subject: Re: opinions on DoSetEUID
To: new-httpd@hyperreal.com
Date: Mon, 11 Dec 1995 21:44:58 -0800 (PST)
In-Reply-To: <199512120538.XAA07363@sierra.zyzzyva.com> from "Randy Terbush"
 at Dec 11, 95 11:38:55 pm
X-Mailer: ELM [version 2.4 PL20]
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Sender: owner-new-httpd@apache.org
Precedence: bulk
Reply-To: new-httpd@apache.org

	I am pretty concerned with the security of it, as well. My
biggest fear is the switching back to euid nobody after processing a
request under someone else's uid. I haven't closely looked at the code
though, and was hoping someone else has gone through it closely.

> 
> > 	Have people installed DoSetEUID? Has it worked? My mod_ecash
> > would be much easier with DoSetEUID, but I'm curious to know if
> > it actually works well.
> > 
> > -- 
> 
> I have done some limited testing of it, and it seems to work.
> There are some real concerns that RST raises about security, and
> I got spooked on my main server when I started getting mail
> from root generated by the server... I'm still looking at how
> to make this as useful as it could be. Comments welcome on the
> security issue.
> 
> 
> 


-- 
sameer						Voice:   510-601-9777
Community ConneXion				FAX:     510-601-9734
The Internet Privacy Provider			Dialin:  510-658-6376
http://www.c2.org/ (or login as "guest")		sameer@c2.org