Received: by taz.hyperreal.com (8.7.5/V2.0) id GAA25156;
 Tue, 24 Sep 1996 06:51:12 -0700 (PDT)
Received: from shado.jaguNET.com by taz.hyperreal.com (8.7.5/V2.0) with ESMTP
 id GAA25150; Tue, 24 Sep 1996 06:51:10 -0700 (PDT)
Received: (from jim@localhost) by shado.jaguNET.com (8.7.6/jag-2.2) id
 JAA09555 for new-httpd@hyperreal.com; Tue, 24 Sep 1996 09:51:09 -0400 (EDT)
From: Jim Jagielski <jim@jaguNET.com>
Message-Id: <199609241351.JAA09555@shado.jaguNET.com>
Subject: Re: Time's a wastin'
To: new-httpd@hyperreal.com
Date: Tue, 24 Sep 1996 09:51:09 -0400 (EDT)
In-Reply-To: 
 <Pine.LNX.3.95.960924093227.4262A-100000@curie.bcc.louisville.edu> from
 "Jason A. Dour" at Sep 24, 96 09:34:53 am
X-Mailer: ELM [version 2.4 PL25]
Content-Type: text
Sender: owner-new-httpd@apache.org
Precedence: bulk
Reply-To: new-httpd@hyperreal.com

Jason A. Dour wrote:
> 
> -----BEGIN PGP SIGNED MESSAGE-----
> 
> I don't *try* to be obtuse...really I don't...but...
> 
> On Tue, 24 Sep 1996, Jim Jagielski wrote:
> > But the can_exec() stuff doesn't do anything about setuid. It's basically
> > called in mod_cgi.c to see if the httpd process can exec a script.
> > can_exec() _should_ check the entire grouplist for the httpd "user".
> 
> 	OK...I now understand that you are referring specifically to
> can_exec and not the model as a whole...sorry for the confusion on my end.
> 
> 	Now on to my next tedious question... "Why?" Present me
> situations, if you can...  I really just do not see why this is necessary.
> 

Sure. The present setup assumes that for Apache to run the script,
it's either owned by Apache (not good), world executable (again not
good) or be group executable by the actual group that Apache is
running as. Thus, most scripts are, or should be, 550 root/apache
(where "apache" == whatever the Group id is). Now say you have a
script that looks through some logfiles for some other application
(like accounting). This these logfiles are readable by the group
'acct' and the script is mode 550 root/acct (thus only users who
are in the acct group can read the logfiles and run the script).
Furthermore, you don't want those in the 'acct' group to be able to
look at some httpd stuff (again, there's no need and maybe a VERY
good reason).

The way around this is to make the apache uid also be a member of the
acct group. This keeps things nice and seperate but also allows for
some extra capability.


-- 
Jim Jagielski  << jim@jaguNET.com >>   |   "If we took the bones out
  **  jaguNET Access Services  **      |    then it wouldn't be crunchy"
      Email: info@jaguNET.com          |            Whizzo Crunchy Frog
++    http://www.jaguNET.com/         +++      Voice/Fax: 410-931-3157       ++