httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Jason A. Dour" <jadou...@homer.louisville.edu>
Subject Re: WWW Form Bug Report: "CGI scripts all run by one user, thus no security between user areas" on OTHER:ALL (fwd)
Date Fri, 03 May 1996 17:11:44 GMT
-----BEGIN PGP SIGNED MESSAGE-----

On Fri, 3 May 1996, Rob Hartill wrote:
> At the moment we can't do what he's asking for because of
> pre-forking. right?

	I can't help myself...  I have to throw in my two bits...

	I personally don't see what there is to be gained by modfying the
forking model as it currently stands.  The only advantage I see would be
for CGI (which he explicity mentions) and includes (which he does not
explicitly mention).  If there are other types of files/actions that would
benefit from "run as owner" rights, could someone please offer some
examples?

	I'm in the middle of mod_sucgi (as some of you may know), and it
takes care of the CGI ~userdir requests.  I'll have mod_suinclude later
on, which will take care of the includes for ~userdirs.  But other than
that, I really can't think of anything else that would benefit from "run
as owner" access...

	Someone in a newsgroup mentioned that everything would be more
secure should it setuid fork to the owner of the file, since all the WWW
pages would be readable only by the owner on the local system, instead of
readable to the world.  But in my environment (and in other where I have
worked/consulted/meandered), all WWW pages are public read, and any
private data files are accessed through CGI.

	Perhaps I am missing something?  Wouldn't SUable CGI and Includes
solve the issues this gentleman is addressing?  Running my server as root
just plain bothers me...and changing the forking model to what he suggests
means that root would then (effectively) become the server user...  8(

Jason
+ Jason A. Dour                       jadour01@homer.louisville.edu        +
| Programmer Analyst II               http://www.louisville.edu/~jadour01/ |
| Dept. of Radiation Oncology         Finger for Geek Code, PGP Public Key,|
+ University of Louisville            PJ Harvey info, and other stuff...   +

-----BEGIN PGP SIGNATURE-----
Version: 2.6.2

iQCVAwUBMYo+U5o1JaC71RLxAQFkXgP8DIaBfp9aNwfpqi2cbCZq3VuPZ4NOdMdG
H4irOo1e4ukH1LETxCti8MCKuVC0d0HiTFYZNu59SkfDApkvbCG7cQmlny47JDPE
he91PnYNysZixlB6Anhr6eNbgRw+rzvKfjgNzVqRmZ1f/od1vgkvC6kIGda4wM6g
agrrEtIZia0=
=d2iX
-----END PGP SIGNATURE-----


Mime
View raw message