Received: by taz.hyperreal.com (8.8.3/V2.0) id GAA01930; Tue, 14 Jan 1997 06:18:09 -0800 (PST) Received: from sierra.zyzzyva.com by taz.hyperreal.com (8.8.3/V2.0) with ESMTP id GAA01922; Tue, 14 Jan 1997 06:18:05 -0800 (PST) Received: from sierra (localhost [127.0.0.1]) by sierra.zyzzyva.com (8.8.4/8.8.2) with ESMTP id IAA18826 for ; Tue, 14 Jan 1997 08:19:40 -0600 (CST) Message-Id: <199701141419.IAA18826@sierra.zyzzyva.com> To: new-httpd@hyperreal.com Subject: Re: and now back to snprintf In-reply-to: jad's message of Tue, 14 Jan 1997 07:38:46 -0500. X-uri: http://www.zyzzyva.com/ Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Tue, 14 Jan 1997 08:19:39 -0600 From: Randy Terbush Sender: new-httpd-owner@apache.org Precedence: bulk Reply-To: new-httpd@hyperreal.com > On Mon, 13 Jan 1997, Randy Terbush wrote: > > > Anyone want to expand on the suexec docs and warnings? > > > > Don't worry about the suexec docs. I would appreciate it if someone > > other than me could make some changes, but if not, I will see that > > it gets done by the next beta. > > I'll help, but I'm swamped at the mo'. Class started last night, > just adding one more thing to the pile. I'll try to take a fresh look at > the dox this weekend. > > What's the status of your latest patch, Randy? May I finish up my > work and submit the patch for the enviro and CLA changes? > > Jason I mailed you a copy of the patch last week. I commited it this past weekend including your changes. From CHANGES: *) Several security enhancements to suexec wrapper. It is _highly_ recommended that previously installed versions of the wrapper be replaced with this version. [Randy Terbush, Jason Dour] - ~user execution now properly restricted to ~user's home directory and below. - execution restricted to UID/GID > 100 - restrict passed environment to known variables - call setgid() before initgroups() (portability fix) - remove use of setenv() (portability fix)