www-apache-bugdb mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Elliott Mitchell <e...@cat.pdx.edu>
Subject suexec/4765: Directory Ownership
Date Mon, 26 Jul 1999 03:21:25 GMT

>Number:         4765
>Category:       suexec
>Synopsis:       Directory Ownership
>Confidential:   no
>Severity:       non-critical
>Priority:       medium
>Responsible:    apache
>State:          open
>Class:          sw-bug
>Submitter-Id:   apache
>Arrival-Date:   Sun Jul 25 20:30:01 PDT 1999
>Last-Modified:
>Originator:     ehem@cat.pdx.edu
>Organization:
apache
>Release:        1.3.1
>Environment:
Solaris 2.5.1 (SunOS 5.5.1) Sparc, GCC 2.7.2.1
>Description:
According to the documentation for suEXEC, the only test on the
directory where CGIs are located is "Is the directory NOT writable by
anyone else?". By testing it is pretty clear the group on the
directory is also checked.
>How-To-Repeat:
Change the group for a user's CGI-bin directory to any group other
than the owner's default.
>Fix:
Either fix the documentation (http://www.apache.org/docs/suexec.html) or remove this test
from suEXEC. IMHO I think
the test should be removed since checking the directory's group doesn't appear to improve
security in any way.
In fact makes it impossible to have a user's WWW directory owned by a web group, restrict
access to
Apache only, and then have the actual CGI programs owned by the user's group (to meet that
requirement of suEXEC).
>Audit-Trail:
>Unformatted:
[In order for any reply to be added to the PR database, you need]
[to include <apbugs@Apache.Org> in the Cc line and make sure the]
[subject line starts with the report component and number, with ]
[or without any 'Re:' prefixes (such as "general/1098:" or      ]
["Re: general/1098:").  If the subject doesn't match this       ]
[pattern, your message will be misfiled and ignored.  The       ]
["apbugs" address is not added to the Cc line of messages from  ]
[the database automatically because of the potential for mail   ]
[loops.  If you do not include this Cc, your reply may be ig-   ]
[nored unless you are responding to an explicit request from a  ]
[developer.  Reply only with text; DO NOT SEND ATTACHMENTS!     ]




Mime
View raw message