httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Rob Hartill <r...@imdb.com>
Subject WWW Form Bug Report: "CGI scripts all run by one user, thus no security between user areas" on OTHER:ALL (fwd)
Date Fri, 03 May 1996 15:35:37 GMT

Not acked.

At the moment we can't do what he's asking for because of
pre-forking. right?


Message-Id: <199605031524.IAA23934@taz.hyperreal.com>
From: Ray.Bellis@psy.ox.ac.uk
To: apache-bugs%apache.org@organic.com
Date: Fri May  3  8:24:20 1996
Subject: WWW Form Bug Report: "CGI scripts all run by one user, thus no security between user
areas" on OTHER:ALL

Submitter: Ray.Bellis@psy.ox.ac.uk
Operating system: OTHER:ALL, version: 
Version of Apache Used: 
Extra Modules used: 
URL exhibiting problem: 

Symptoms:
--
Suggestion:

Defer setuid() until URL has been parsed.  If the
URL is ~user then setuid(user) otherwise setuid(default_user)

This would allow users to write CGI scripts that and read
(and write!) private files without possibility of interference
from other users' CGI scripts.

[This might have implications for when things like log files
are opened]
--

Backtrace:
--

--
----- End of forwarded message from Ray.Bellis@psy.ox.ac.uk -----

Mime
View raw message