Date: Thu, 18 Oct 2001 17:03:42 +0400 From: "Andrey A. Chernov" <ache@nagual.pp.ru> To: Sheldon Hearn <sheldonh@starjuice.net> Cc: Yarema <yds@dppl.com>, ports@FreeBSD.org Subject: Re: HEADS UP: Apache port change from nobody:nogroup to www:www planned Message-ID: <20011018170342.B64487@nagual.pp.ru> In-Reply-To: <29090.1003407835@axl.seasidesoftware.co.za> References: <20011018161609.A63967@nagual.pp.ru> <29090.1003407835@axl.seasidesoftware.co.za>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, Oct 18, 2001 at 14:23:55 +0200, Sheldon Hearn wrote: > > Any priviledges, read/write/etc. Nobody is internal NFS user means 'root'. > > To NFS, nobody _may_ mean "the user to which root should be mapped". The > system should _never_ be structured such that having nobody privelege is > equivalent to having root privelege. Yes, I just not reproduce full phrase, I mean 'root in some sense' > Specifically, one usually maps a foreign host's root to the local > nobody. This means "foreign host's root has world-only permissions". And it not means that Apache allowed to read nobody files with 700 permissions. > This is sounding worse and worse to me. Could you maybe provide an > example that demonstrates the danger you're trying to protect against? See one above. And not forget about NIS, which use nobody in special way too. -- Andrey A. Chernov http://ache.pp.ru/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ports" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20011018170342.B64487>