www-apache-bugdb mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Marc Slemko <ma...@znep.com>
Subject Re: config/1347: Serving pages as root. (fwd)
Date Sat, 01 Nov 1997 21:20:00 GMT
The following reply was made to PR config/1347; it has been noted by GNATS.

From: Marc Slemko <marcs@znep.com>
To: Apache bugs database <apbugs@apache.org>
Cc:  Subject: Re: config/1347: Serving pages as root. (fwd)
Date: Sat, 1 Nov 1997 14:19:01 -0700 (MST)

 ---------- Forwarded message ----------
 Date: Sat, 1 Nov 1997 14:12:57 -0700
 From: Bob Ross <bross@kingman.com>
 To: marc@hyperreal.org
 Subject: Re: config/1347: Serving pages as root.
 I'll have to re-write the cgi to work in the back ground instead of from a
 form. Would not be to much trouble to set a cron to look for a file and then
 process the information in it.
 Thank for your reply.
 Bob Ross
 -----Original Message-----
 From: marc@hyperreal.org <marc@hyperreal.org>
 To: apache-bugdb@apache.org <apache-bugdb@apache.org>; bross@kingman.com
 <bross@kingman.com>; marc@apache.org <marc@apache.org>
 Date: Saturday, November 01, 1997 1:54 PM
 Subject: Re: config/1347: Serving pages as root.
 >Synopsis: Serving pages as root.
 >State-Changed-From-To: open-closed
 >State-Changed-By: marc
 >State-Changed-When: Sat Nov  1 12:59:05 PST 1997
 >What you are doing was a very poor security practice before
 >and is still a very poor security practice.
 >You could make your CGI setuid root, make a special group
 >for your server, and then make it only group (ie. not world)
 >executable.  That still isn't very smart security practice,
 >because it means if anyone compromises your http server
 >they can likely gain root.
 >If you wish to disable the check for running as uid0,
 >it is explained clearly how to do so in the error message
 >generated when you try.  This will leave you with something
 >just as insecure as your old setup.
 >We really can't go step by step through the ways you can
 >accomplish what you want; you could try asking in the
 >appropriate Usenet newsgroup, but be aware that it takes
 >a good bit of knowledge about security to do what you want

View raw message