httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Brian Behlendorf <br...@organic.com>
Subject Re: Apache NT errors
Date Fri, 27 Jun 1997 01:13:12 GMT
At 08:31 AM 6/26/97 -0400, you wrote:
>Ben Laurie wrote:
>> 
>> I dunno, but _if_ I get pserver access again, I'll look into it.
>
>In the meantime, can't we at least tcpwrapper it?
>
>After waiting the better part of an hour to do to do CVS stuff, I'm
>just sitting on my hands until all the bandwidth stuff is fixed.
>And to be honest, it's nice being able to work on some other
>stuff :)

>From section II on http://www.cyclic.com/cyclic-pages/news9706.html:

> If the machine running the CVS server also has running a service which
allows > for file upload (for example, anonymous FTP if configured to do
so), then > anyone who has the ability to upload files can gain full access
to the
> server system. If there is no service which allows file upload, then users 
> who already have some access to the server system can gain access as any 
> other user, including privileged users. 

So, essentially I'd be trusting Apache developers to not try to get root.
I trust and love you all, but I can't risk that.

However, I have looked over the security requirements for the fix on cyclic
pages, and now that Roy's done his blitzkreig of changes to CVSROOT files,
the restrictions now seem palatable.  So, I have installed 1.9.10, and done
the following:

1) made ~cvs chown'd root, chmod 755.
2) made ~cvs/CVSROOT chown'd root, chmod 755.

This means that any attempt to create new modules, or modify files under
CVSROOT, will fail.  If such changes are necessary, let me know and I'll
temporarily enable group write access so the change can happen.

So, I've turned back on pserver.  Have fun!

	Brian
--=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--
"Why not?" - TL                brian@organic.com - hyperreal.org - apache.org

Mime
View raw message