httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jim Jagielski <>
Subject Re: Time's a wastin'
Date Tue, 24 Sep 1996 13:51:09 GMT
Jason A. Dour wrote:
> I don't *try* to be obtuse...really I don't...but...
> On Tue, 24 Sep 1996, Jim Jagielski wrote:
> > But the can_exec() stuff doesn't do anything about setuid. It's basically
> > called in mod_cgi.c to see if the httpd process can exec a script.
> > can_exec() _should_ check the entire grouplist for the httpd "user".
> 	OK...I now understand that you are referring specifically to
> can_exec and not the model as a whole...sorry for the confusion on my end.
> 	Now on to my next tedious question... "Why?" Present me
> situations, if you can...  I really just do not see why this is necessary.

Sure. The present setup assumes that for Apache to run the script,
it's either owned by Apache (not good), world executable (again not
good) or be group executable by the actual group that Apache is
running as. Thus, most scripts are, or should be, 550 root/apache
(where "apache" == whatever the Group id is). Now say you have a
script that looks through some logfiles for some other application
(like accounting). This these logfiles are readable by the group
'acct' and the script is mode 550 root/acct (thus only users who
are in the acct group can read the logfiles and run the script).
Furthermore, you don't want those in the 'acct' group to be able to
look at some httpd stuff (again, there's no need and maybe a VERY
good reason).

The way around this is to make the apache uid also be a member of the
acct group. This keeps things nice and seperate but also allows for
some extra capability.

Jim Jagielski  << >>   |   "If we took the bones out
  **  jaguNET Access Services  **      |    then it wouldn't be crunchy"
      Email:          |            Whizzo Crunchy Frog
++         +++      Voice/Fax: 410-931-3157       ++

View raw message