httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Randy Terbush <ra...@zyzzyva.com>
Subject Re: Time's a wastin'
Date Tue, 24 Sep 1996 02:02:23 GMT

Agreed.


> Randy Terbush wrote:
> > 
> > > Jason A. Dour wrote:
> > > > 
> > > > -----BEGIN PGP SIGNED MESSAGE-----
> > > > 
> > > > On Mon, 23 Sep 1996, Jim Jagielski wrote:
> > > > > I have the patch, and it's "required" by many multi-group OSs.
> > > > > I'll commit
> > > > 
> > > > 	How so?  I can't see how it would be a "requirement"...  Please
> > > > explain.  Sorry to be redundant, please excuse me.  ;)
> > > > 
> > > 
> > > the can_exec() call should check each possible group, instead of the
> > > default. Thus, if the OS uses multiple groups, then Apache should support
> > > that.
> > 
> > I see your argument. Do you see the reason that Jason and I decided not
> > to support multiple groups in setuid() execution?
> > 
> > I don't necesarily want Joe Blow running my CGI program as _me_ just
> > because we both happen to be in group www (unbeknownst to me) and I
> > was stupid enough to leave the group x-bit set.
> > 
> 
> That would be a Bad Thing, no doubt at all about that. Any "wrapper"
> should do both a setgid and setuid (in that order of course) to
> ensure that the process only runs with the perms that that user
> would. In that case, it's better to clear out the extra group
> privs and run under the regular user's group. For example,
> cgiwrap does that as well.
> 
> The can_exec() call, however, simply sees if a file is executable.
> It does so by checking if it's runnable by the uid, gid and, at the
> end, the world. The patch simply makes sure that can_exec() also
> checks any extra groups the process may have, which makes sense.
> For example, say only one group can run perl scripts. You want to
> make sure the httpd process can do that, but you don't necessarily
> want the httpd process's main group to be that one.
> -- 
> Jim Jagielski  << jim@jaguNET.com >>   |   "If we took the bones out
>   **  jaguNET Access Services  **      |    then it wouldn't be crunchy"
>       Email: info@jaguNET.com          |            Whizzo Crunchy Frog
> ++    http://www.jaguNET.com/         +++      Voice/Fax: 410-931-3157       ++




Mime
View raw message