httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jess Mahan <j...@digitalssg.net>
Subject Re: [users@httpd] Using SuExec with mod_vhost_alias
Date Fri, 19 Sep 2003 20:53:57 GMT
Wich systems allow users to give away chown?

On Sun, 2003-10-19 at 08:10, Joshua Slive wrote:
> 
> On Thu, 18 Sep 2003 jess@digitalssg.net wrote:
> > Couldn't suexec just stat() the file being executed and setuid()
> > setgid() to that UID/GID?
> 
> This would be a HUGE security hole on systems that allow users to give
> away ownership using chown.  (Most systems don't do that anymore,
> but suexec needs to be safe everywhere.)
> 
> In any case, it would be a major change to the security model of suexec,
> and playing with suexec is a dangerous thing to do.
> 
> Joshua.
> 
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>    "   from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
> 



---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message