httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Randy Terbush <ra...@zyzzyva.com>
Subject Re: setuid control WITHOUT running as root
Date Mon, 03 Jun 1996 02:00:25 GMT
> > The UID is set for each VHost at startup. The VHost DocumentRoot
> > specifies the domain for the effective UID. Whether you specify
> > a ScriptAliased directory or not, the effective UID for the VHost
> > is pretty simple unless I missed something.
> >
> > r->server->server_uid
> > r->server->server_gid
> >
> > I think the real weakness here is giving enough functionality
> > to the wrapper without *it* being the security risk. Which I
> > am sure you are well aware of...
> 
> That is not the wrapper... That is the apache module...
> 
> You have to communicate that "trusted" uid<->vhost mapping to the wrapper
> which is sucgi.
> 
> -- Nathan

I've probably been staring at this way too long, however I understood
Sameer's question to be related to the Server's maping of uid to the CGI.

The server communicates that ID through the command line to the wrapper,
which is really the problem.

Would it be possible to communicate this information through an mmapped()
area? Passing the address to the wrapper?






Mime
View raw message