Return-Path: Delivered-To: new-httpd-archive@hyperreal.org Received: (qmail 23378 invoked by uid 6000); 20 Nov 1998 22:54:05 -0000 Received: (qmail 23368 invoked from network); 20 Nov 1998 22:54:03 -0000 Received: from mail2.panix.com (166.84.0.213) by taz.hyperreal.org with SMTP; 20 Nov 1998 22:54:03 -0000 Received: from panix7.panix.com (root@panix7.nyc.access.net [166.84.0.232]) by mail2.panix.com (8.8.8/8.8.8/PanixM1.3) with ESMTP id RAA24563 for ; Fri, 20 Nov 1998 17:53:58 -0500 (EST) Received: (from aidan@localhost) by panix7.panix.com (8.8.8/8.7.1/PanixN1.0) id RAA14984 for new-httpd@apache.org; Fri, 20 Nov 1998 17:53:58 -0500 (EST) Message-ID: <19981120175358.A14404@panix.com> Date: Fri, 20 Nov 1998 17:53:58 -0500 From: Aidan Cully To: new-httpd@apache.org Subject: no calls to seteuid in source tree? Mail-Followup-To: new-httpd@apache.org Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.93.2i Sender: new-httpd-owner@apache.org Precedence: bulk Reply-To: new-httpd@apache.org A quick text-search through the v1.3.3 source seems to indicate that while apache is very careful to set the _real_ userid to the server whose connection we're processing, it never sets the _effective_ userid to the real one. I'm fairly green to the apache source, so I expect I'm dead wrong on this, but I'd appreciate it if someone could tell me either why I'm mistaken, and the effective userid _is_ set, or why this doesn't open up huge root holes in mod_perl, or executables run without SuEXEC, or symblinks to user-unreadable files across the entire system.. TIA, --aidan -- Aidan Cully "You can't find your waitress/ With a geiger counter.. Panix Staff She hates you and your friends and you just aidan@panix.com Can't get served without her.." -- Tom Waits