httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jeff Trawick <trawi...@bellsouth.net>
Subject Re: [PATCH] security - run mod_cgid's daemon under same user as Apache
Date Wed, 07 Jun 2000 16:53:28 GMT
> Date: Wed, 7 Jun 2000 10:46:27 -0600 (MDT)
> From: Marc Slemko <marcs@znep.com>
> 
> On Wed, 7 Jun 2000, Jeff Trawick wrote:
> 
> > One concern I have is with the permissions of the log directory (which
> > is where the Unix socket lives).  With this patch, the configured user
> > must have write access to that directory because we've already
> > switched to that user before creating the socket.  On my setup, at
> > least, I had to change the permissions of the log directory, because
> > the files which were created there all along were created while Apache
> > was running with euid zero.
> > 
> > (Maybe it is an existing requirement that the configured user can
> > write to the log directory; I dunno.)
> 
> It is an existing requirement that the user Apache runs as (assuming it is
> started as root) MUST NOT be able to write to the logs directory (ie. any
> directory where logs, pid file, etc. are written).
> 
> Setting permissions so that they can is a major security problem.

Thanks!!!  I'll explore other options :)

We don't want anybody but Apache to be able to send requests to the
cgi daemon, so it is nice that the permissions are rw------- to
minimize the exposure.  Hmmm...

-- 
Jeff Trawick | trawick@ibm.net | PGP public key at web site:
     http://www.geocities.com/SiliconValley/Park/9289/
          Born in Roswell... married an alien...

Mime
View raw message