httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Aidan Cully <>
Subject no calls to seteuid in source tree?
Date Fri, 20 Nov 1998 22:53:58 GMT
A quick text-search through the v1.3.3 source seems to indicate that
while apache is very careful to set the _real_ userid to the server
whose connection we're processing, it never sets the _effective_
userid to the real one.  I'm fairly green to the apache source, so I
expect I'm dead wrong on this, but I'd appreciate it if someone
could tell me either why I'm mistaken, and the effective userid _is_
set, or why this doesn't open up huge root holes in mod_perl, or
executables run without SuEXEC, or symblinks to user-unreadable files
across the entire system..

Aidan Cully       "You can't find your waitress/ With a geiger counter..
Panix Staff        She hates you and your friends and you just    Can't get served without her.."	-- Tom Waits

View raw message