httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Jason A. Dour" <...@bcc.louisville.edu>
Subject Re: Time's a wastin'
Date Mon, 23 Sep 1996 17:29:33 GMT
-----BEGIN PGP SIGNED MESSAGE-----

On Mon, 23 Sep 1996, Randy Terbush wrote:
> > BUGS
> > 3      When a sub-program is about to be run, Apache checks for correct
> >        permissions, but it does not account for other groups that the
> >        current user might be in. PATCH AVAILABLE.
> Much of this has changed in 1.2. I would point out that Jason and I
> made a decision to nuke other groups that the user might be in just
> to be paranoid when doing setuid execution. Could I see the patch for
> this?

	Here's the way I see this...  Sorry if this has already been
covered...  I've been too busy to keep up lately...

	The server checks the primary group...it's simpler and faster than
trying to check a whole list of groups against the current file.  If the
user wants to specify a specific group from his group access list, then
she can code it into the program.

	Notice this only is an issue with ~userdir EXEC calls.  All others
should have a Group specified either by the VHost, or later on, the Dir or
Loc.  The setuid portion of suEXEC resets the group information, and
establishes a group access list from *all* of the uid's groups.
Therefore, the program should easily be able to act upon such group
membership.

	Is this still a problem for people?  Personally, I see it as a
necessary security check...

Jason
+ Jason A. Dour                       jad@bcc.louisville.edu               +
| Programmer Analyst II               http://www.louisville.edu/~jadour01/ |
| Dept. of Radiation Oncology         Finger for Geek Code, PGP Public Key,|
+ University of Louisville            PJ Harvey info, and other stuff...   +

-----BEGIN PGP SIGNATURE-----
Version: 2.6.2

iQCVAwUBMkbJAJo1JaC71RLxAQEnrgP8CTjHAVppglGEXKni0vzV7GYxTXW7kxrW
kLYJnrNyk0jawMguBxohDl0dfDJXhjwOrL34JnrAW9M4dtlqusIxnIL6wa+8dgwV
TKTZNsY5q+VqsAJhC+o94vFnM1tZUQLCV1MN6cwtwE+mHXvXtEGDrMYBF3RBef7F
PufkgVKu/H8=
=9mKP
-----END PGP SIGNATURE-----


Mime
View raw message