httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Randy Terbush <ra...@zyzzyva.com>
Subject Re: setuid control WITHOUT running as root
Date Mon, 03 Jun 1996 00:47:39 GMT
> At 4:39 PM 6/2/96, sameer@c2.org wrote:
> > >
> > > I see no problem with suCGI suitably modified with the above checks for use
> > > in personal user directories... But I don't see an easy way to do for
> > > virtual hosts that will both work and is safe.
> >
> >         I think that for virtual hosts you can have a mapping of
> > vhost->uid *and* the CGIs must be owned by that UID. Shouldn't be a
> > problem. Unless I misunderstand what you are saying here.
> 
> The problem is getting the wrapper to know that... I.e. the wrapper will
> have to read a config file of some sort to find out what uid is mapped to
> what virtual dir.
> 
> -- Nathan

The UID is set for each VHost at startup. The VHost DocumentRoot
specifies the domain for the effective UID. Whether you specify
a ScriptAliased directory or not, the effective UID for the VHost
is pretty simple unless I missed something.

r->server->server_uid
r->server->server_gid

I think the real weakness here is giving enough functionality
to the wrapper without *it* being the security risk. Which I
am sure you are well aware of...






Mime
View raw message