httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Raymond S Brand <>
Subject Re: [PATCH] "responsible party" for requests.
Date Fri, 07 May 1999 20:38:17 GMT
Aidan Cully wrote:
> On Thu, May 06, 1999 at 05:46:04PM, Raymond S Brand said:
> > Aidan Cully wrote:

> I've thought about this argument, and I don't think I buy it..  If a
> file ever gets created that's owned by the user, and in a group the
> user isn't in, there's already a security hole..  The user can already
> chmod g+s on the file, and then call the setgid script from another
> script since SuEXEC doesn't like setid.
> And, of course, if the server isn't configured with this directive,
> behaviour shouldn't change.

What about the situation where a user is removed from a group? This is
the example where Apache/suexec is the security hole.

Raymond S Brand

View raw message