From owner-freebsd-security  Thu Nov 14  5:32:41 2002
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 4EF0D37B401
	for <security@freebsd.org>; Thu, 14 Nov 2002 05:32:39 -0800 (PST)
Received: from proxy.centtech.com (moat.centtech.com [207.200.51.10])
	by mx1.FreeBSD.org (Postfix) with ESMTP id ADBDD43E7B
	for <security@freebsd.org>; Thu, 14 Nov 2002 05:32:37 -0800 (PST)
	(envelope-from anderson@centtech.com)
Received: from sprint.centtech.com (sprint.centtech.com [10.177.173.31])
	by proxy.centtech.com (8.11.6+Sun/8.11.6) with ESMTP id gAEDWQc16542;
	Thu, 14 Nov 2002 07:32:27 -0600 (CST)
Received: (from root@localhost)
	by sprint.centtech.com (8.11.6+Sun/8.11.6) id gAEDWQN09216;
	Thu, 14 Nov 2002 07:32:26 -0600 (CST)
Received: from centtech.com (electron [204.177.173.173])
	by sprint.centtech.com (8.11.6+Sun/8.11.6) with ESMTP id gAEDWMX09201;
	Thu, 14 Nov 2002 07:32:23 -0600 (CST)
Message-ID: <3DD3A5E7.8020908@centtech.com>
Date: Thu, 14 Nov 2002 07:32:23 -0600
From: Eric Anderson <anderson@centtech.com>
User-Agent: Mozilla/5.0 (X11; U; Linux i386; en-US; rv:1.0.1) Gecko/20020823 Netscape/7.0
X-Accept-Language: en-us, en
MIME-Version: 1.0
To: Kirk Bailey <idiot1@netzero.net>
Cc: "security@FreeBSD.ORG" <security@freebsd.org>
Subject: Re: list scripts, permissions, and ownerships.
References: <Pine.LNX.4.44.0211140848220.9334-100000@serendipity.ksemat.co.ug> <3DD33DA6.55DB03A@netzero.net>
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
X-Virus-Scanned: by AMaViS perl-11
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org

Kirk Bailey wrote:
> oops. I quote:
> 
>    7.Is the target user NOT superuser? 
> 
>        Presently, suEXEC does not allow 'root' to execute CGI/SSI 
>        programs. 
> 
> Alas, the file appears to be owned by root. Now what?


I'm assuming by "owned by root" you mean setuid bit is on and the 
ownership is root?  Just making a file owned by root doesn't make it run 
as root.  If you DID have the setuid bit on, and it IS root owned, you 
are in dangerous waters.  It's not really a great idea to have suid root 
programs running from a web site - all it takes is for you to miss one 
thing and the "evil hacker" has root access on your box, instead of just 
access as "nobody".

The nobody user should be able to read the aliases file just fine with 
no extra permissions.

Eric


-- 
------------------------------------------------------------------
Eric Anderson	   Systems Administrator      Centaur Technology
Beware the fury of a patient man.
------------------------------------------------------------------


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message