www-apache-bugdb mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Rob Saccoccio <r...@InfiniteTechnology.com>
Subject RE: general/2580: Apache won't run CGI scripts executable only by a supplementary group
Date Mon, 22 Feb 1999 14:29:28 GMT
This appears to still be a problem under Apache 1.3.4.  I'll restate:

initgroups() is called to initialize supplementary groups for Apache, but
when CGI scripts are exec'd a check is performed which prevents the use of
those supplementary group privileges to exec() the script (unless
MULTIPLE_GROUPS is defined).  This is problematic because the script is
still invoked with the supplementary groups defined, thus it can exec others
using those privileges (that Apache couldn't).

My recommendation is to remove the supplementary groups using setgroups()
after the fork() (unless MULTIPLE_GROUPS is defined).

  robs

Mime
View raw message