Received: by taz.hyperreal.com (8.6.12/8.6.5) id SAA19728;
 Sun, 2 Jun 1996 18:02:06 -0700
Received: from sierra.zyzzyva.com by taz.hyperreal.com (8.6.12/8.6.5) with
 ESMTP id SAA19720; Sun, 2 Jun 1996 18:02:02 -0700
Received: from zyzzyva.com (localhost [127.0.0.1]) by sierra.zyzzyva.com
 (8.7.5/8.6.11) with ESMTP id UAA04953 for <new-httpd@hyperreal.com>;
 Sun, 2 Jun 1996 20:01:58 -0500 (CDT)
Message-Id: <199606030101.UAA04953@sierra.zyzzyva.com>
To: new-httpd@hyperreal.com
Subject: Re: setuid control WITHOUT running as root 
In-reply-to: rst's message of Sun, 02 Jun 1996 20:44:44 -0400.
         <199606030044.UAA06316@volterra.ai.mit.edu>
X-uri: http://www.zyzzyva.com/
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Date: Sun, 02 Jun 1996 20:01:58 -0500
From: Randy Terbush <randy@zyzzyva.com>
Sender: owner-new-httpd@apache.org
Precedence: bulk
Reply-To: new-httpd@hyperreal.com


> The *combination* of giveaway chowns and something like the current
> sucgi-wrapper *is* pretty dangerous --- but my personal expectation is
> that if we were to release such code, and CERT were to get a report of
> nasty exploits, they'd come after us, and not the OS vendor.
> 
> rst

I agree completely.

I've been banging away for quite a few months looking for a solution
that the group can be comfortable with. The next incarnation of sucgi.c
will have a few more checks in place. It would be relatively easy
to setup a test for giveaway chowns and configure the compile of
sucgi.c to be that next bit more paranoid. Neither FreeBSD or Solaris
have this problem, so I'm not too concerned about the restriction.