Date: Mon, 16 Apr 2001 12:16:34 -0700 From: Kris Kennaway <kris@obsecurity.org> To: "Rodney W. Grimes" <freebsd@gndrsh.dnsmgr.net> Cc: "Andrey A. Chernov" <ache@nagual.pp.ru>, cvs-committers@FreeBSD.org, cvs-all@FreeBSD.org Subject: Re: cvs commit: ports/www/mnoGoSearch-current Makefile Message-ID: <20010416121634.E10023@xor.obsecurity.org> In-Reply-To: <200104161606.JAA52818@gndrsh.dnsmgr.net>; from freebsd@gndrsh.dnsmgr.net on Mon, Apr 16, 2001 at 09:06:23AM -0700 References: <20010416195744.A2726@nagual.pp.ru> <200104161606.JAA52818@gndrsh.dnsmgr.net>
next in thread | previous in thread | raw e-mail | index | archive | help
--imjhCm/Pyz7Rq5F2 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline On Mon, Apr 16, 2001 at 09:06:23AM -0700, Rodney W. Grimes wrote: > Also it seems as if -YOU- are the maintainer of apache, so please can > you go fix it's abuse of nobody:nogroup. (Hint: running as nobody:nogroup > is _NOT_ the bug.) Well, arguably it is, because people persist in making files owned by nobody, and since apache runs as that user a webserver compromise gives access to all those files. If it ran as e.g. user www, then it's explicit which files it owns because that user is unlikely to be used randomly outside a webserver context. Kris --imjhCm/Pyz7Rq5F2 Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE620URWry0BWjoQKURAplKAKCe9rUhY5t+ju7U8qeC+zjA1UUgFwCfSfOZ gy7BOVevbmHjedJMWWa33rM= =ZGYw -----END PGP SIGNATURE----- --imjhCm/Pyz7Rq5F2-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe cvs-all" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010416121634.E10023>