httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Michael Douglass <miked...@texas.net>
Subject Re: [PATCH] various security problems
Date Tue, 24 Jun 1997 05:02:18 GMT
On Mon, Jun 23, 1997 at 12:52:47AM -0600, Marc Slemko said:

> > Are these problems worth creating a vendor initiated CERT advisory?
> 
> No.  I don't see them as urgent enough to rush with anything.  There
> are always ways users can mess up your security.  This patch just helps
> to close a few of them.

I've been reading this list for a long-long time and have alot of
respect for the core programming team on Apache.  But, one thing I hate
about *alot* of vendors is that they wait until they fix something
before they alert people of a problem.  And the person who said 'since
it is here on this list...' is right, I'm sure 'people' monitor this
list.

And this is serious enough because I am sure there are still many
misguided 'admins' out there who run their web server with special
privs who could have users that decide their ReadMe file needs to
symlink to /etc/shadow or some such; which a regular user cannot do on
a normal basis.

However, if an administrator is stupid enough to run his/her web server
as root, what makes any of us thing he will receive CERT publications;
or even be on such lists as bugtraq and BoS?  Heh.

$0.02 worth.

-- 
Michael Douglass
Texas Networking, Inc.

  "Can one really have dejavu in their dreams?" -- Me.


Mime
View raw message