From owner-cvs-all  Mon Apr 16 12:16:46 2001
Delivered-To: cvs-all@freebsd.org
Received: from obsecurity.dyndns.org (adsl-63-207-60-27.dsl.lsan03.pacbell.net [63.207.60.27])
	by hub.freebsd.org (Postfix) with ESMTP
	id B8C3D37B424; Mon, 16 Apr 2001 12:16:38 -0700 (PDT)
	(envelope-from kris@obsecurity.org)
Received: by obsecurity.dyndns.org (Postfix, from userid 1000)
	id E417266E07; Mon, 16 Apr 2001 12:16:34 -0700 (PDT)
Date: Mon, 16 Apr 2001 12:16:34 -0700
From: Kris Kennaway <kris@obsecurity.org>
To: "Rodney W. Grimes" <freebsd@gndrsh.dnsmgr.net>
Cc: "Andrey A. Chernov" <ache@nagual.pp.ru>,
	cvs-committers@FreeBSD.org, cvs-all@FreeBSD.org
Subject: Re: cvs commit: ports/www/mnoGoSearch-current Makefile
Message-ID: <20010416121634.E10023@xor.obsecurity.org>
References: <20010416195744.A2726@nagual.pp.ru> <200104161606.JAA52818@gndrsh.dnsmgr.net>
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-md5;
	protocol="application/pgp-signature"; boundary="imjhCm/Pyz7Rq5F2"
Content-Disposition: inline
User-Agent: Mutt/1.2.5i
In-Reply-To: <200104161606.JAA52818@gndrsh.dnsmgr.net>; from freebsd@gndrsh.dnsmgr.net on Mon, Apr 16, 2001 at 09:06:23AM -0700
Sender: owner-cvs-all@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG


--imjhCm/Pyz7Rq5F2
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline

On Mon, Apr 16, 2001 at 09:06:23AM -0700, Rodney W. Grimes wrote:

> Also it seems as if -YOU- are the maintainer of apache, so please can
> you go fix it's abuse of nobody:nogroup.  (Hint: running as nobody:nogroup
> is _NOT_ the bug.)

Well, arguably it is, because people persist in making files owned by
nobody, and since apache runs as that user a webserver compromise
gives access to all those files.  If it ran as e.g. user www, then
it's explicit which files it owns because that user is unlikely to be
used randomly outside a webserver context.

Kris

--imjhCm/Pyz7Rq5F2
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.4 (FreeBSD)
Comment: For info see http://www.gnupg.org

iD8DBQE620URWry0BWjoQKURAplKAKCe9rUhY5t+ju7U8qeC+zjA1UUgFwCfSfOZ
gy7BOVevbmHjedJMWWa33rM=
=ZGYw
-----END PGP SIGNATURE-----

--imjhCm/Pyz7Rq5F2--

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe cvs-all" in the body of the message