From owner-freebsd-ports  Thu Oct 18 10:56:20 2001
Delivered-To: freebsd-ports@freebsd.org
Received: from relay.gnf.org (relay.gnf.org [208.44.31.36])
	by hub.freebsd.org (Postfix) with ESMTP
	id 51AE337B405; Thu, 18 Oct 2001 10:56:12 -0700 (PDT)
Received: from mail.gnf.org (smtp.gnf.org [10.0.0.11])
	by relay.gnf.org (8.11.6/8.11.6) with ESMTP id f9IHu4s28636;
	Thu, 18 Oct 2001 10:56:04 -0700
Received: by mail.gnf.org (Postfix, from userid 888)
	id 2BB7611E508; Thu, 18 Oct 2001 10:52:53 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1])
	by mail.gnf.org (Postfix) with ESMTP
	id 2385411A576; Thu, 18 Oct 2001 10:52:53 -0700 (PDT)
Date: Thu, 18 Oct 2001 10:52:53 -0700 (PDT)
From: Gordon Tetlow <gordont@gnf.org>
To: "Andrey A. Chernov" <ache@nagual.pp.ru>
Cc: Sheldon Hearn <sheldonh@starjuice.net>, Yarema <yds@dppl.com>,
	<arch@freebsd.org>
Subject: Re: HEADS UP: Apache port change from nobody:nogroup to www:www
 planned
In-Reply-To: <20011018170342.B64487@nagual.pp.ru>
Message-ID: <Pine.LNX.4.33.0110181021380.1612-100000@smtp.gnf.org>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-ports@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-ports.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-ports>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-ports>
X-Loop: FreeBSD.org

Moved to -arch, where this rightfully belongs...

On Thu, 18 Oct 2001, Andrey A. Chernov wrote:

> On Thu, Oct 18, 2001 at 14:23:55 +0200, Sheldon Hearn wrote:
>
> > Specifically, one usually maps a foreign host's root to the local
> > nobody.  This means "foreign host's root has world-only permissions".
>
> And it not means that Apache allowed to read nobody files with 700
> permissions.

I thought we already established that nobody owning files was a bad thing.
Anything that creates files as nobody should be fixed. Apache doesn't
create files as nobody (although cgi's execed as it might, but that's the
cgi's fault, not Apache's),

> > This is sounding worse and worse to me.  Could you maybe provide an
> > example that demonstrates the danger you're trying to protect against?
>
> See one above. And not forget about NIS, which use nobody in special way
> too.

Refresh my memory as to why nobody is special in NIS land?

-gordon


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-ports" in the body of the message