httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Marc Slemko <ma...@worldgate.com>
Subject Re: mod_cgi/918: if not using suexec, apache forces user to use server gid/uid settings
Date Sun, 27 Jul 1997 06:18:10 GMT
No.  The server looks at the permissions on the script that suexec will
execute, not the permissions on suexec.  Since when suexec eventually gets
around to running the script, it will probably be as a different UID,
checking based on the view of the user who runs suexec doesn't make sense.

The code could be expanded to know what user will be passed to suexec, but
it hasn't been.

On Sat, 26 Jul 1997, Dean Gaudet wrote:

> On Sat, 26 Jul 1997, Marc Slemko wrote:
> > No.  can_exec just doesn't know about magic user ID changes like those
> > that happen using suexec or some other wrapper.  It checks to see if it
> > can be execed given the user ID the server is running as now.  
> 
> Um yes, well, what other uid is the server going to attempt to execute it
> as? 
> 
> Am I totally confused?  I thought these things were setuid root (in the
> case of suexec), or setuid user (in the case of cgiwrap).  In either case
> the webserver needs permission to execute the file.  That's either group
> or other x that needs to be set.
> 
> Dean
> 
> 


Mime
View raw message