httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Raymond S Brand <r...@rsbx.net>
Subject Re: [PATCH] "responsible party" for requests.
Date Fri, 07 May 1999 21:16:24 GMT
Aidan Cully wrote:
> 
> On Fri, May 07, 1999 at 04:38:17PM, Raymond S Brand said:
> > Aidan Cully wrote:
> > > I've thought about this argument, and I don't think I buy it..  If a
> > > file ever gets created that's owned by the user, and in a group the
> > > user isn't in, there's already a security hole..  The user can already
> > > chmod g+s on the file, and then call the setgid script from another
> > > script since SuEXEC doesn't like setid.
> > >
> > > And, of course, if the server isn't configured with this directive,
> > > behaviour shouldn't change.
> > >
> >
> > What about the situation where a user is removed from a group? This is
> > the example where Apache/suexec is the security hole.
> 
> The point is that the hole exists outside of apache/suexec.  He can
> _always_ chmod g+s on the file and get group privs.
> 

Actually, most modern systems insist that the user be a member of the
group of the file for chmod g+s to work. So, on those systems, Apache/suexec
will be a security hole.

Raymond S Brand

Mime
View raw message