httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Ben Laurie <...@gonzo.ben.algroup.co.uk>
Subject Re: WWW Form Bug Report: "CGI scripts all run by one user, thus no security between user areas" on OTHER:ALL (fwd)
Date Fri, 03 May 1996 16:30:22 GMT
Rob Hartill wrote:
> 
> 
> Not acked.
> 
> At the moment we can't do what he's asking for because of
> pre-forking. right?

We can do it but it means leaving all processes as superuser. To implement this
correctly they should stay superuser throughout URL processing. Dangerous.

Cheers,

Ben.

> 
> 
> Message-Id: <199605031524.IAA23934@taz.hyperreal.com>
> From: Ray.Bellis@psy.ox.ac.uk
> To: apache-bugs%apache.org@organic.com
> Date: Fri May  3  8:24:20 1996
> Subject: WWW Form Bug Report: "CGI scripts all run by one user, thus no security between
user areas" on OTHER:ALL
> 
> Submitter: Ray.Bellis@psy.ox.ac.uk
> Operating system: OTHER:ALL, version: 
> Version of Apache Used: 
> Extra Modules used: 
> URL exhibiting problem: 
> 
> Symptoms:
> --
> Suggestion:
> 
> Defer setuid() until URL has been parsed.  If the
> URL is ~user then setuid(user) otherwise setuid(default_user)
> 
> This would allow users to write CGI scripts that and read
> (and write!) private files without possibility of interference
> from other users' CGI scripts.
> 
> [This might have implications for when things like log files
> are opened]
> --
> 
> Backtrace:
> --
> 
> --
> ----- End of forwarded message from Ray.Bellis@psy.ox.ac.uk -----

-- 
Ben Laurie                  Phone: +44 (181) 994 6435
Freelance Consultant and    Fax:   +44 (181) 994 6472
Technical Director          Email: ben@algroup.co.uk
A.L. Digital Ltd,           URL: http://www.algroup.co.uk
London, England.

Mime
View raw message