httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Ralf S. Engelschall" <>
Subject Re: [PATCH] SECURITY: UID of htdocs & icons data
Date Sun, 06 Dec 1998 18:34:10 GMT

In article <> you wrote:
> Ralf S. Engelschall wrote:
>> Here is a patch for PR#3494. Should we also do something for the GID? The
>> problem is that we cannot know which GID exists for root? Ok, we can use the
>> numerical GID 0 which on mostly all platform corresponds to root.  Ideas?

> Use the same UID/GID as the daemon runs as? nobody/nobody
> I'm not sure if this is a security hole...

> Use the same UID/GID as the user who does the 'make install' ?
> this is most often root/administrator or similar

> I think the 2) is the best approach

Sure, using the UID/GID of the installer is what I want to do. But what's the
maximum portable way to determine this UID/GID from the shell? That's my
problem! The UID is easy, because "root" always exists. But what to do for the
GID? On some systems root's GID is "wheel", on others "root" and whatever
else. So my only idea is to not do a "chown root" instead I think we should be
even better do "chown 0" + "chgrp 0" because this should work on all
platforms (as long as we assume a GID=0 is the group of "root" or at least
not a GID used by regular user groups).

More opinions?
                                       Ralf S. Engelschall

View raw message