httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Aidan Cully <ai...@panix.com>
Subject Re: [PATCH] "responsible party" for requests.
Date Fri, 07 May 1999 20:51:01 GMT
On Fri, May 07, 1999 at 04:38:17PM, Raymond S Brand said:
> Aidan Cully wrote:
> > I've thought about this argument, and I don't think I buy it..  If a
> > file ever gets created that's owned by the user, and in a group the
> > user isn't in, there's already a security hole..  The user can already
> > chmod g+s on the file, and then call the setgid script from another
> > script since SuEXEC doesn't like setid.
> > 
> > And, of course, if the server isn't configured with this directive,
> > behaviour shouldn't change.
> > 
> 
> What about the situation where a user is removed from a group? This is
> the example where Apache/suexec is the security hole.

The point is that the hole exists outside of apache/suexec.  He can
_always_ chmod g+s on the file and get group privs.

--aidan
-- 
Aidan Cully       "The 16-day-old moon looks down sadly on a town overrun
Panix Staff        with wild dogs."
aidan@panix.com        --Abarenbo Shogun

Mime
View raw message