httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jim Jagielski <...@jaguNET.com>
Subject Re: Time's a wastin'
Date Mon, 23 Sep 1996 20:14:37 GMT
Jason A. Dour wrote:
> 
> -----BEGIN PGP SIGNED MESSAGE-----
> 
> On Mon, 23 Sep 1996, Randy Terbush wrote:
> > > BUGS
> > > 3      When a sub-program is about to be run, Apache checks for correct
> > >        permissions, but it does not account for other groups that the
> > >        current user might be in. PATCH AVAILABLE.
> > Much of this has changed in 1.2. I would point out that Jason and I
> > made a decision to nuke other groups that the user might be in just
> > to be paranoid when doing setuid execution. Could I see the patch for
> > this?
> 
> 	Here's the way I see this...  Sorry if this has already been
> covered...  I've been too busy to keep up lately...
> 
> 	The server checks the primary group...it's simpler and faster than
> trying to check a whole list of groups against the current file.  If the
> user wants to specify a specific group from his group access list, then
> she can code it into the program.
> 
> 	Notice this only is an issue with ~userdir EXEC calls.  All others
> should have a Group specified either by the VHost, or later on, the Dir or
> Loc.  The setuid portion of suEXEC resets the group information, and
> establishes a group access list from *all* of the uid's groups.
> Therefore, the program should easily be able to act upon such group
> membership.
> 
> 	Is this still a problem for people?  Personally, I see it as a
> necessary security check...
> 

I have the patch, and it's "required" by many multi-group OSs.

I'll commit

-- 
Jim Jagielski  << jim@jaguNET.com >>   |   "If we took the bones out
  **  jaguNET Access Services  **      |    then it wouldn't be crunchy"
      Email: info@jaguNET.com          |            Whizzo Crunchy Frog
++    http://www.jaguNET.com/         +++      Voice/Fax: 410-931-3157       ++

Mime
View raw message