httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jeff Trawick <>
Subject Re: [PATCH] security - run mod_cgid's daemon under same user as Apache
Date Wed, 07 Jun 2000 16:53:28 GMT
> Date: Wed, 7 Jun 2000 10:46:27 -0600 (MDT)
> From: Marc Slemko <>
> On Wed, 7 Jun 2000, Jeff Trawick wrote:
> > One concern I have is with the permissions of the log directory (which
> > is where the Unix socket lives).  With this patch, the configured user
> > must have write access to that directory because we've already
> > switched to that user before creating the socket.  On my setup, at
> > least, I had to change the permissions of the log directory, because
> > the files which were created there all along were created while Apache
> > was running with euid zero.
> > 
> > (Maybe it is an existing requirement that the configured user can
> > write to the log directory; I dunno.)
> It is an existing requirement that the user Apache runs as (assuming it is
> started as root) MUST NOT be able to write to the logs directory (ie. any
> directory where logs, pid file, etc. are written).
> Setting permissions so that they can is a major security problem.

Thanks!!!  I'll explore other options :)

We don't want anybody but Apache to be able to send requests to the
cgi daemon, so it is nice that the permissions are rw------- to
minimize the exposure.  Hmmm...

Jeff Trawick | | PGP public key at web site:
          Born in Roswell... married an alien...

View raw message