httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Jason A. Dour" <...@bcc.louisville.edu>
Subject Re: setuid control WITHOUT running as root
Date Mon, 03 Jun 1996 10:42:21 GMT
-----BEGIN PGP SIGNED MESSAGE-----

On Sun, 2 Jun 1996, Nathan Neulinger wrote:
>        sucgi.c: Ok, I see you are 'www', I'll let you run any script as any
> user - I'm not talking about the apache module... The weakest link is the
> sucgi.c executable.

	I think you're misrepresenting this by simplifying too much.  In
its original form, it took a filename with no slashes in it, and built the
path to the cgi-bin itself.  Therefore, only programs/scripts located in
the predefined work area of a particular user would be executed as that
user.  In short, if someone owned a dangerous executable, and were silly
enough to put it in cgi-bin, then yes they have a problem.  But the
weakest link there is not sucgi.c, but the user -- as with all CGI.

Jason
+ Jason A. Dour                       jad@bcc.louisville.edu               +
| Programmer Analyst II               http://www.louisville.edu/~jadour01/ |
| Dept. of Radiation Oncology         Finger for Geek Code, PGP Public Key,|
+ University of Louisville            PJ Harvey info, and other stuff...   +

-----BEGIN PGP SIGNATURE-----
Version: 2.6.2

iQCVAwUBMbLBkJo1JaC71RLxAQHhQAP7BTsV3kJedwsJZvI4RZ+0dZ2VnoP+nMcu
V/JVKIKur0hwMtYfbVylrPFuU0JFgMkD8YeZiY/4m6Qy975Azu6CGFZ9aFQ/85JA
YCfdJ+5+CIAuHoWJJn7wuvFvYM1Vj27fx/XpZPUATi+0+smNoXxHgEq3hvF3c/06
HduWKl/ia08=
=QsMb
-----END PGP SIGNATURE-----


Mime
View raw message