httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Ralf S. Engelschall" <>
Subject Re: [PATCH] SECURITY: UID of htdocs & icons data
Date Sun, 06 Dec 1998 18:29:22 GMT

In article <> you wrote:
> On Sun, 6 Dec 1998, Ralf S. Engelschall wrote:

>> +  *) SECURITY: When installing Apache under root some files from htdocs/ and
>> +     icons/ are installed with the UID/GID of the user who rolled the Apache
>> +     tarball and not with the UID of root. When this UID is mapped to an
>> +     existing local user this user was able to modify the manual pages and
>> +     icons. [Ralf S. Engelschall] PR#3494

> I fix this in the release tarballs I roll (for WU-FTPD, not Apache) by
> rolling them _as_ root (dunno, never looked to see if tar has an option
> for clearing the UID/GID in the tarball).  That way when un-tar'd by root
> the UID and GID are root and when by anyone else they're the user's.  I
> consider that a policy of 'least surprise'.  It always bothers me when, as
> root, I un-tar a package and the files end up owned by some UID/GID which
> doesn't even exist on my system or, worse yet, owned by one of my
> customers.

> Fixing this at install time is a fine backstop (yes, set the GID to 0) but
> it should be fixed in the 'howto release'.

Interesting solution. But currently those who roll the Apache tarballs
have not root access on the machine they usually roll it. Nevertheless
a good idea...
                                       Ralf S. Engelschall

View raw message