Mike Bilow [mailto:mikebw@colossus.bilow.com] wrote:
> With all due respect, I disagree. If one user's scripts can start out as
> the web server process owner and become UserA, then another user's scripts
> can do the same and become UserA also.
Not true. Only scripts owned by userA and inside his home directory can be run
as userA. Go and read the suexec documentation on the apache web-site. And this
is only one of the many checks performed.
http://www.apache.org/docs/suexec.html
I'm not asking that everyone customize suexec with a big patch like I have
done... I'm just referenced that to say that I know the suexec code inside and
out because I've worked with it so much. You can use the suexec just as it
comes with apache and it will serve you well.
Or run another webserver process as another user.. you don't have to use
suexec.
And I'm not even lobbying that the problem be "fixed" per-se by OpenSRS, but
rather that OpenSRS just tell people about the danger so they don't have a
false sense of security.
- David Harris
Principal Engineer, DRH Internet Inc.
This archive was generated by hypermail 2.1.3 : Tue Oct 19 2004 - 23:35:22 EDT