httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jim Jagielski <...@jaguNET.com>
Subject Re: SetUID once again
Date Tue, 26 Mar 1996 00:05:53 GMT
Randy Terbush wrote:
> Not that DirUID concept would not work, it just needs to do a lot more
> checking before executing the scripts. After having looked at, integrated
> and run both types of SetUID methods, the idea of running based on
> the owner or group of the file modes is more flexible and scaleable.

Except that SysV-based systems allow 'chown' to anyone, even root.

I could create a script that does something nasty, place it in my directory
and then 'chown' it to root, and I'm golden.

The way CGIWRAP does this is that it looks only in that person's
directory, makes sure that the directory and the file are owned by
the same person (and even same group if you want) and only then
executes. Thus, to run a 'root' script, I need to be able to write to
roots HOME in the first place to plop my script there.
-- 
Jim Jagielski  << jim@jaguNET.com >>   |      "That's a Smith & Wesson,
  **  jaguNET Access Services  **      |       and you've had your six" 
      Email: info@jaguNET.com          |             - James Bond
++    http://www.jaguNET.com/         +++      Voice/Fax: 410-931-3157       ++

Mime
View raw message