httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Joshua Slive <jos...@slive.ca>
Subject Re: [users@httpd] Using SuExec with mod_vhost_alias
Date Sun, 19 Oct 2003 15:10:00 GMT

On Thu, 18 Sep 2003 jess@digitalssg.net wrote:
> Couldn't suexec just stat() the file being executed and setuid()
> setgid() to that UID/GID?

This would be a HUGE security hole on systems that allow users to give
away ownership using chown.  (Most systems don't do that anymore,
but suexec needs to be safe everywhere.)

In any case, it would be a major change to the security model of suexec,
and playing with suexec is a dangerous thing to do.

Joshua.

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message