Date: Thu, 18 Oct 2001 07:05:11 -0400 From: Yarema <yds@dppl.com> To: ports@FreeBSD.org Cc: Andrey A.Chernov <ache@nagual.pp.ru>, Sheldon Hearn <sheldonh@starjuice.net> Subject: Re: HEADS UP: Apache port change from nobody:nogroup to www:www planned Message-ID: <20011018110513.C38731B3B0@volyn.dppl.net>
next in thread | raw e-mail | index | archive | help
Andrey A. Chernov wrote: > On Thu, Oct 18, 2001 at 12:22:32 +0200, Sheldon Hearn wrote: >> >> Hold on a second. What files does Apache _write_ as user nobody? > > Any file written from cgi-bin script f.e. I tend to agree with Sheldon Hearn here. As Doug Barton put it: > I agree that sa's that need their cgi processes to write files > should take appropriate steps to make sure that their apache user/group > permissions are safe, but I'm afraid that the step you're taking is going > to mask the problem and give people a false sense of security. Apache is not abusing nobody:nogroup -- users who don't configure their CGI environment are. The Right Thing is to run CGIs via suexec. suexec works better if apache does run as nobody:nogroup. eperl is another port that takes advantage of apache running as specifically nobody:nogroup to change the process ownership to the scrip owner's uid. -- Yarema To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ports" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20011018110513.C38731B3B0>