Date: Mon, 16 Apr 2001 12:39:56 -0700 (PDT) From: "Rodney W. Grimes" <freebsd@gndrsh.dnsmgr.net> To: kris@obsecurity.org (Kris Kennaway) Cc: ache@nagual.pp.ru (Andrey A. Chernov), cvs-committers@FreeBSD.org, cvs-all@FreeBSD.org Subject: Re: cvs commit: ports/www/mnoGoSearch-current Makefile Message-ID: <200104161939.MAA53486@gndrsh.dnsmgr.net> In-Reply-To: <20010416121634.E10023@xor.obsecurity.org> from Kris Kennaway at "Apr 16, 2001 12:16:34 pm"
next in thread | previous in thread | raw e-mail | index | archive | help
> On Mon, Apr 16, 2001 at 09:06:23AM -0700, Rodney W. Grimes wrote: > > > Also it seems as if -YOU- are the maintainer of apache, so please can > > you go fix it's abuse of nobody:nogroup. (Hint: running as nobody:nogroup > > is _NOT_ the bug.) > > Well, arguably it is, because people persist in making files owned by > nobody, and since apache runs as that user a webserver compromise > gives access to all those files. If it ran as e.g. user www, then > it's explicit which files it owns because that user is unlikely to be > used randomly outside a webserver context. I will agree that the running of of apache as nobody:nogroup is an arguable thing. But running it as www:www and having all the files _owned_ and _grouped_ www:www only solves the NFS issue, and does not address the other problem of having your webserver being able to nuked it's own content via all too common cgi bugs. -- Rod Grimes - KD7CAX @ CN85sl - (RWG25) rgrimes@gndrsh.dnsmgr.net To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe cvs-all" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200104161939.MAA53486>