httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Rob Hartill <r...@imdb.com>
Subject WWW Form Bug Report: "suid use of uid/gid is flawed for other models" on Solaris 2.x (fwd)
Date Thu, 05 Dec 1996 11:59:17 GMT

Not acked. One for Jason and Randy..

----- Forwarded message from ggm@connect.com.au -----

Message-Id: <199612050638.WAA24155@taz.hyperreal.com>
From: ggm@connect.com.au
To: apache-bugs%apache.org@organic.com
Date: Wed Dec  4 22:38:20 1996
Subject: WWW Form Bug Report: "suid use of uid/gid is flawed for other models" on Solaris
2.x

Submitter: ggm@connect.com.au
Operating system: Solaris 2.x, version: 
Version of Apache Used: apache_1.2b1
Extra Modules used: 
URL exhibiting problem: 

Symptoms:
--
I have local private code to do chroot/setuid/setgid
before all fork/exec instances. Its much more
secure than SUID wrappers. We run Virtual webs
in this way to permit login access under chroot
as well.

I've submitted the code to tim hudson of mincom
who was looking into a clean integration into
apache.

The SUID code embeds use of server_uid and server_gid
which I can leverage off, but the assumption that
this is enabled if the binary of SUIDBIN is found
is kinda wrong. 

I think you want this to be controlled in other
ways as well to permit other models of setuid
to apply (like mine) which will mean better
separation of SUIDBIN from this concept of what
uid to run as in a given virtual web instance..

This isn't a bug so much as a flaw in design which
I think will bite you if anybody (like me) offers
in another model of perms control.

cheers
	-George
--

Backtrace:
--

--

----- End of forwarded message from ggm@connect.com.au -----

-- 
Rob Hartill.       Internet Movie Database Ltd.    http://www.imdb.com/  

Mime
View raw message