www-apache-bugdb mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Eric I. Ekong" <eko...@ccaa.edu>
Subject config/1161: Cgi scripts been run as nobody instead of user.
Date Tue, 23 Sep 1997 21:30:02 GMT

>Number:         1161
>Category:       config
>Synopsis:       Cgi scripts been run as nobody instead of user.
>Confidential:   no
>Severity:       critical
>Priority:       medium
>Responsible:    apache (Apache HTTP Project)
>State:          open
>Class:          sw-bug
>Submitter-Id:   apache
>Arrival-Date:   Tue Sep 23 14:30:02 1997
>Originator:     ekonge@ccaa.edu
>Organization:
apache
>Release:        Apache 1.1.3-3
>Environment:
Linux abraham.ccaa.edu 2.0.30 #2 Sat Aug 30 17:53:48 EDT 1997 i586 unknown
>Description:
Basically, when cgi-scripts are run by our users they run as nobody instead of 
the users id.  We want alieve this problem by making the script run as the user.
We are not sure if this will be a security issue or not.  My thought is that
having nobody running several httpd daemons and then a number of cgi scripts
from out users guestbooks us a big security risk.  It also causes us a problem 
tracking down the run on process caused by a script.  Is there a way to keep 
that script running as the user's id.  I know there is a way to do this 
Front Page allows this with virtual hosts, but this is a college campus and we 
can't exactly set up 400 virtual hosts for our users. Can anyone provide us with
the information to combat this problem?
>How-To-Repeat:
http://www.ccaa.edu/~bilbrj/sign.htm
>Fix:
No Idea, I am hoping you can tell me how to do this.  We need to make it so 
that cgi scripts ran out of the users directories will be run by there id and 
not nobody.  It worries me and I think it might cause a security risks with 
nobody popping up in all of the process running
>Audit-Trail:
>Unformatted:



Mime
View raw message