From owner-freebsd-ports Thu Oct 18 4: 1:53 2001 Delivered-To: freebsd-ports@freebsd.org Received: from axl.seasidesoftware.co.za (axl.seasidesoftware.co.za [196.31.7.201]) by hub.freebsd.org (Postfix) with ESMTP id EC59837B410; Thu, 18 Oct 2001 04:01:47 -0700 (PDT) Received: from sheldonh (helo=axl.seasidesoftware.co.za) by axl.seasidesoftware.co.za with local-esmtp (Exim 3.33 #1) id 15uAwP-00079p-00; Thu, 18 Oct 2001 13:02:21 +0200 From: Sheldon Hearn To: "Andrey A. Chernov" Cc: ports@freebsd.org, arch@freebsd.org Subject: Re: HEADS UP: Apache port change from nobody:nogroup to www:www planned In-reply-to: Your message of "Thu, 18 Oct 2001 14:54:30 +0400." <20011018145428.B62250@nagual.pp.ru> Date: Thu, 18 Oct 2001 13:02:21 +0200 Message-ID: <27516.1003402941@axl.seasidesoftware.co.za> Sender: owner-freebsd-ports@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Thu, 18 Oct 2001 14:54:30 +0400, "Andrey A. Chernov" wrote: > This is not for this reason at all. This is because nobody user is NFS > special and can't be used even for sandboxes without any writes. It just seems weird to me that you haven't just left this area up to things like the Apache SuExec project etc. CGI scripts are complex beasts, and I wonder how much real security you gain with this simplistic "solution". I'm not saying you're making a mistake. I'm just nervous that this hasn't been thought through very carefully and that you're just jumping on the anti-nobody bandwagon. [1] Ciao, Sheldon. [1] I think the anti-nobody bandwagon is headed in the right direction, mind you. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ports" in the body of the message