Date: Mon, 16 Apr 2001 09:06:23 -0700 (PDT) From: "Rodney W. Grimes" <freebsd@gndrsh.dnsmgr.net> To: ache@nagual.pp.ru (Andrey A. Chernov) Cc: cvs-committers@FreeBSD.org, cvs-all@FreeBSD.org Subject: Re: cvs commit: ports/www/mnoGoSearch-current Makefile Message-ID: <200104161606.JAA52818@gndrsh.dnsmgr.net> In-Reply-To: <20010416195744.A2726@nagual.pp.ru> from "Andrey A. Chernov" at "Apr 16, 2001 07:57:49 pm"
next in thread | previous in thread | raw e-mail | index | archive | help
> On Mon, Apr 16, 2001 at 08:36:04 -0700, Rodney W. Grimes wrote: > > > ache 2001/04/15 01:08:18 PDT > > > > > > Modified files: > > > www/mnoGoSearch-current Makefile > > > Log: > > > chown nobody.nogroup whole /var/mnogosearch (not require additional privs for > > > spelld) > > > > This exposes these files to NFS root access. The original concept of > > nobody and nogroup was introduced by NFS, and the intent was that no > > file no place ever should have a uid/gid with these values, as that > > is what root is mapped to without a -maproot clause in the exports > > line. > > > > Please do NOT continue to propogate this error of actually makeing > > files owned by nobody or have group nogroup. > > This is needed for httpd reason. Unfortunately Apache httpd runs as > nobody.nogroup and starts CGIs too. httpd must be fixed first to another > user/group, probably www.www or something like. I prefer not to make fix > by myself due to various backward compatibility issues I prefer to deal > not. When httpd will be fixed, satellite ports can be fixed to, but not > earlier. The whole reason of running apache as nobody.nogroup is so that it can not access a file of any type unless it is world accessable. The mistake has been made to now chown files to nobody:nogroup so that it can have access to them instead of setting w+r. Does apache need write access to this hierarchy? If not a simple chown root:wheel, chmod w+r over it will fix the problem and have no impact on apache. Also it seems as if -YOU- are the maintainer of apache, so please can you go fix it's abuse of nobody:nogroup. (Hint: running as nobody:nogroup is _NOT_ the bug.) -- Rod Grimes - KD7CAX @ CN85sl - (RWG25) rgrimes@gndrsh.dnsmgr.net To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe cvs-all" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200104161606.JAA52818>