httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Jason A. Dour" <...@bcc.louisville.edu>
Subject Re: Time's a wastin'
Date Tue, 24 Sep 1996 10:56:20 GMT
-----BEGIN PGP SIGNED MESSAGE-----

OK...time for me to be obtuse...sorry.  8)

On Mon, 23 Sep 1996, Jim Jagielski wrote:
> That would be a Bad Thing, no doubt at all about that. Any "wrapper"
> should do both a setgid and setuid (in that order of course) to

	suexec *does* setuid and setgid, *and* resets the group access
list to include *all* groups of which the executing user is a member.
Therefore, the user has ability to change their active group (if
necessary) within the code of their program.  On systems with multi-group
access, it won't matter, since the OS will see their group access list and
use the proper group from that.

	Am I totally missing something, or does this not address what you
are saying?

> The can_exec() call, however, simply sees if a file is executable.

	But can_exec was stripped down to minimal checks due to requests
here on the list...  suexec.c handles all the setuid-related stuff...

Jason
+ Jason A. Dour                       jad@bcc.louisville.edu               +
| Programmer Analyst II               http://www.louisville.edu/~jadour01/ |
| Dept. of Radiation Oncology         Finger for Geek Code, PGP Public Key,|
+ University of Louisville            PJ Harvey info, and other stuff...   +

-----BEGIN PGP SIGNATURE-----
Version: 2.6.2

iQCVAwUBMke+V5o1JaC71RLxAQHUCAQAoHnOqhxFlgY5rm3S5bi+jx7OJJU3YvAU
3jb6C4M/+g1o25vPudFkOuWbwGllehUCR/9lLEkY2cRsHJ+Zv/klE+0WrKoUusB7
5/snwdlE7KIsqSZ8ZcF7WIZyd3t3A81Uk3fZGV7Y0mVaUox8E9fGhy9FNGlHdzUh
SY85x7HeUWI=
=Ztp5
-----END PGP SIGNATURE-----


Mime
View raw message