www-apache-bugdb mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Rob Saccoccio <r...@InfiniteTechnology.com>
Subject RE: general/2580: Apache won't run CGI scripts executable only by a supplementary group
Date Mon, 22 Feb 1999 14:40:01 GMT
The following reply was made to PR general/2580; it has been noted by GNATS.

From: Rob Saccoccio <robs@InfiniteTechnology.com>
To: "'lars@apache.org'" <lars@Apache.Org>
Cc: "'apbugs@Apache.Org'" <apbugs@Apache.Org>
Subject: RE: general/2580: Apache won't run CGI scripts executable only by
	 a supplementary group
Date: Mon, 22 Feb 1999 09:33:26 -0500

 Retrans to log to apbugs..
 
 -----Original Message-----
 From: Rob Saccoccio 
 Sent: Monday, February 22, 1999 9:29 AM
 To: 'lars@apache.org'; apache-bugdb@apache.org; Rob Saccoccio
 Subject: RE: general/2580: Apache won't run CGI scripts executable only
 by a supplementary group
 
 
 This appears to still be a problem under Apache 1.3.4.  I'll restate:
 
 initgroups() is called to initialize supplementary groups for Apache, but
 when CGI scripts are exec'd a check is performed which prevents the use of
 those supplementary group privileges to exec() the script (unless
 MULTIPLE_GROUPS is defined).  This is problematic because the script is
 still invoked with the supplementary groups defined, thus it can exec others
 using those privileges (that Apache couldn't).
 
 My recommendation is to remove the supplementary groups using setgroups()
 after the fork() (unless MULTIPLE_GROUPS is defined).
 
   robs

Mime
View raw message