httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Jason A. Dour" <>
Subject Re: Time's a wastin'
Date Mon, 23 Sep 1996 17:29:33 GMT

On Mon, 23 Sep 1996, Randy Terbush wrote:
> > BUGS
> > 3      When a sub-program is about to be run, Apache checks for correct
> >        permissions, but it does not account for other groups that the
> >        current user might be in. PATCH AVAILABLE.
> Much of this has changed in 1.2. I would point out that Jason and I
> made a decision to nuke other groups that the user might be in just
> to be paranoid when doing setuid execution. Could I see the patch for
> this?

	Here's the way I see this...  Sorry if this has already been
covered...  I've been too busy to keep up lately...

	The server checks the primary's simpler and faster than
trying to check a whole list of groups against the current file.  If the
user wants to specify a specific group from his group access list, then
she can code it into the program.

	Notice this only is an issue with ~userdir EXEC calls.  All others
should have a Group specified either by the VHost, or later on, the Dir or
Loc.  The setuid portion of suEXEC resets the group information, and
establishes a group access list from *all* of the uid's groups.
Therefore, the program should easily be able to act upon such group

	Is this still a problem for people?  Personally, I see it as a
necessary security check...

+ Jason A. Dour                            +
| Programmer Analyst II      |
| Dept. of Radiation Oncology         Finger for Geek Code, PGP Public Key,|
+ University of Louisville            PJ Harvey info, and other stuff...   +

Version: 2.6.2


View raw message