httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Ben Laurie <...@gonzo.ben.algroup.co.uk>
Subject Re: setuid control WITHOUT running as root
Date Sun, 02 Jun 1996 19:24:58 GMT
Randy Terbush wrote:
> 
> >   How would you suggest doing this?
> > 
> >   Maybe a simple check to see if User for this VHost is defined to
> >   be different from the main server id and calling the wrapper if it is?
> > 
> > Exactly --- check if those two integers are equal, and bypass the wrapper
> > if so.  What's the fuss?
> > 
> > rst
> 
> No muss, no fuss. Works just dandy.
> 
> One other option here that might make some people feel even better
> about this code... any installation of a wrapper program would 
> default to be non-suid. Anyone who changed that would be assuming the
> risks.

Uh? Why not just not install it at all (it can't do anything useful if it is
not setuid, can it?).

BTW, I've almost decided that chroot() doesn't help with security (because a
Bad Guy can still make something setuid to the attacked uid which can then be
exploited by another route).

Cheers,

Ben.

> 
> 
> 
> 

-- 
Ben Laurie                  Phone: +44 (181) 994 6435
Freelance Consultant and    Fax:   +44 (181) 994 6472
Technical Director          Email: ben@algroup.co.uk
A.L. Digital Ltd,           URL: http://www.algroup.co.uk
London, England.

Mime
View raw message