httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Lucid <>
Subject Re: Oops explained
Date Thu, 11 Jul 1996 16:49:58 GMT
>   Question:  My server never runs as root.  Will it be able to create a
>              PUT-able section of its own filespace (owned by the server uid)?
> If the server doesn't even start up as root, then my whole strategy
> for doing this particular check is impossible.  Then again, if the
> PUT-handler doesn't run setuid, the check isn't particularly necessary
> (because running the PUT-handler doesn't give attackers any privilege
> they don't already have).
> So, I could add code to the PUT-handler to disable the child-check
> code if the PUT-handler itself is *not* running setuid --- is that
> what you're asking for?  (It's very easy, if so).
> (NB, for others, a consequence of this is that any CGI script could
> walk all over the PUT-able section of the filespace... Roy presumably
> deals with this by disallowing CGI except for trusted users).
> rst

This is why I am thinking we should implement something like the union
filesystem... that way the only thing people can overwrite is the 
uncommited section...  The commitor could could allow for the
server to su to a given user (with password and userid  provided by them)
from the www user , the access could be controled via .htacces
The good thing about this is that the server will only be suid user
and never suid root... and the only function it will do is copy a file
from the "overlay" onto the normal document layer

it could be integrated similar to /status   as /commit
and could prompt for uid and password and display the "uncommited" files
in their document directory...

The big reson why this might be good is it will free us from using RCS...

I know there will be security concerns but part of this might be possible..

-bill morris

View raw message