httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Gregory A Lundberg <lundb...@vr.net>
Subject Re: [PATCH] SECURITY: UID of htdocs & icons data
Date Sun, 06 Dec 1998 17:24:36 GMT
On Sun, 6 Dec 1998, Ralf S. Engelschall wrote:

> +  *) SECURITY: When installing Apache under root some files from htdocs/ and
> +     icons/ are installed with the UID/GID of the user who rolled the Apache
> +     tarball and not with the UID of root. When this UID is mapped to an
> +     existing local user this user was able to modify the manual pages and
> +     icons. [Ralf S. Engelschall] PR#3494

I fix this in the release tarballs I roll (for WU-FTPD, not Apache) by
rolling them _as_ root (dunno, never looked to see if tar has an option
for clearing the UID/GID in the tarball).  That way when un-tar'd by root
the UID and GID are root and when by anyone else they're the user's.  I
consider that a policy of 'least surprise'.  It always bothers me when, as
root, I un-tar a package and the files end up owned by some UID/GID which
doesn't even exist on my system or, worse yet, owned by one of my
customers.

Fixing this at install time is a fine backstop (yes, set the GID to 0) but
it should be fixed in the 'howto release'.

-- 

Gregory A Lundberg		Senior Partner, VRnet Company
1441 Elmdale Drive              lundberg@vr.net
Kettering, OH 45409-1615 USA    1-800-809-2195


Mime
View raw message