httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jeff Trawick <trawi...@bellsouth.net>
Subject Re: [PATCH] security - run mod_cgid's daemon under same user as Apache
Date Wed, 07 Jun 2000 17:08:14 GMT
> From: rbb@covalent.net
> Date: Wed, 7 Jun 2000 09:51:58 -0700 (PDT)
> 
> 
> > > One concern I have is with the permissions of the log directory (which
> > > is where the Unix socket lives).  With this patch, the configured user
> > > must have write access to that directory because we've already
> > > switched to that user before creating the socket.  On my setup, at
> > > least, I had to change the permissions of the log directory, because
> > > the files which were created there all along were created while Apache
> > > was running with euid zero.
> 
> Why not create the socket as root and then switch euid/egid?  This would
> seem to me to be the most secure way of doing this.
> 
> Ryan

That keeps the cgi daemon happy, but Apache is running as nobody
(perhaps) and won't be able to connect to the socket unless the socket
permissions allow anybody to connect to it.  Right?  But that opens up
the ability for any local user to send crap to it.


-- 
Jeff Trawick | trawick@ibm.net | PGP public key at web site:
     http://www.geocities.com/SiliconValley/Park/9289/
          Born in Roswell... married an alien...

Mime
View raw message