httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Randy Terbush <ra...@zyzzyva.com>
Subject Re: setuid control WITHOUT running as root
Date Mon, 03 Jun 1996 01:01:58 GMT

> The *combination* of giveaway chowns and something like the current
> sucgi-wrapper *is* pretty dangerous --- but my personal expectation is
> that if we were to release such code, and CERT were to get a report of
> nasty exploits, they'd come after us, and not the OS vendor.
> 
> rst

I agree completely.

I've been banging away for quite a few months looking for a solution
that the group can be comfortable with. The next incarnation of sucgi.c
will have a few more checks in place. It would be relatively easy
to setup a test for giveaway chowns and configure the compile of
sucgi.c to be that next bit more paranoid. Neither FreeBSD or Solaris
have this problem, so I'm not too concerned about the restriction.







Mime
View raw message