httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Randy Terbush <ra...@zyzzyva.com>
Subject Re: setuid control WITHOUT running as root
Date Mon, 03 Jun 1996 14:12:50 GMT
> -----BEGIN PGP SIGNED MESSAGE-----
> 
> On Sun, 2 Jun 1996, Nathan Neulinger wrote:
> >        sucgi.c: Ok, I see you are 'www', I'll let you run any script as any
> > user - I'm not talking about the apache module... The weakest link is the
> > sucgi.c executable.
> 
> 	I think you're misrepresenting this by simplifying too much.  In
> its original form, it took a filename with no slashes in it, and built the
> path to the cgi-bin itself.  Therefore, only programs/scripts located in
> the predefined work area of a particular user would be executed as that
> user.  In short, if someone owned a dangerous executable, and were silly
> enough to put it in cgi-bin, then yes they have a problem.  But the
> weakest link there is not sucgi.c, but the user -- as with all CGI.

In all fairness to Jason, I did remove this portion of his wrapper.
I have always been able to run the server allowing .cgi in any
directory. I would like to find a way to continue to do so.

Unfortunately, this is the weakness of having the wrapper sitting
on disk.




Mime
View raw message