Received: by taz.hyperreal.com (8.7.5/V2.0) id SAA02630;
 Mon, 23 Sep 1996 18:55:18 -0700 (PDT)
Received: from shado.jaguNET.com by taz.hyperreal.com (8.7.5/V2.0) with ESMTP
 id SAA02622; Mon, 23 Sep 1996 18:55:16 -0700 (PDT)
Received: (from jim@localhost) by shado.jaguNET.com (8.7.6/jag-2.2) id
 VAA02415 for new-httpd@hyperreal.com; Mon, 23 Sep 1996 21:55:09 -0400 (EDT)
From: Jim Jagielski <jim@jaguNET.com>
Message-Id: <199609240155.VAA02415@shado.jaguNET.com>
Subject: Re: Time's a wastin'
To: new-httpd@hyperreal.com
Date: Mon, 23 Sep 1996 21:55:09 -0400 (EDT)
In-Reply-To: <199609240128.UAA21463@sierra.zyzzyva.com> from "Randy Terbush"
 at Sep 23, 96 08:28:07 pm
X-Mailer: ELM [version 2.4 PL25]
Content-Type: text
Sender: owner-new-httpd@apache.org
Precedence: bulk
Reply-To: new-httpd@hyperreal.com

Randy Terbush wrote:
> 
> > Jason A. Dour wrote:
> > > 
> > > -----BEGIN PGP SIGNED MESSAGE-----
> > > 
> > > On Mon, 23 Sep 1996, Jim Jagielski wrote:
> > > > I have the patch, and it's "required" by many multi-group OSs.
> > > > I'll commit
> > > 
> > > 	How so?  I can't see how it would be a "requirement"...  Please
> > > explain.  Sorry to be redundant, please excuse me.  ;)
> > > 
> > 
> > the can_exec() call should check each possible group, instead of the
> > default. Thus, if the OS uses multiple groups, then Apache should support
> > that.
> 
> I see your argument. Do you see the reason that Jason and I decided not
> to support multiple groups in setuid() execution?
> 
> I don't necesarily want Joe Blow running my CGI program as _me_ just
> because we both happen to be in group www (unbeknownst to me) and I
> was stupid enough to leave the group x-bit set.
> 

That would be a Bad Thing, no doubt at all about that. Any "wrapper"
should do both a setgid and setuid (in that order of course) to
ensure that the process only runs with the perms that that user
would. In that case, it's better to clear out the extra group
privs and run under the regular user's group. For example,
cgiwrap does that as well.

The can_exec() call, however, simply sees if a file is executable.
It does so by checking if it's runnable by the uid, gid and, at the
end, the world. The patch simply makes sure that can_exec() also
checks any extra groups the process may have, which makes sense.
For example, say only one group can run perl scripts. You want to
make sure the httpd process can do that, but you don't necessarily
want the httpd process's main group to be that one.
-- 
Jim Jagielski  << jim@jaguNET.com >>   |   "If we took the bones out
  **  jaguNET Access Services  **      |    then it wouldn't be crunchy"
      Email: info@jaguNET.com          |            Whizzo Crunchy Frog
++    http://www.jaguNET.com/         +++      Voice/Fax: 410-931-3157       ++