Date: Mon, 16 Apr 2001 12:43:42 -0700 From: Kris Kennaway <kris@obsecurity.org> To: "Rodney W. Grimes" <freebsd@gndrsh.dnsmgr.net> Cc: Kris Kennaway <kris@obsecurity.org>, "Andrey A. Chernov" <ache@nagual.pp.ru>, cvs-committers@FreeBSD.org, cvs-all@FreeBSD.org Subject: Re: cvs commit: ports/www/mnoGoSearch-current Makefile Message-ID: <20010416124342.A11258@xor.obsecurity.org> In-Reply-To: <200104161939.MAA53486@gndrsh.dnsmgr.net>; from freebsd@gndrsh.dnsmgr.net on Mon, Apr 16, 2001 at 12:39:56PM -0700 References: <20010416121634.E10023@xor.obsecurity.org> <200104161939.MAA53486@gndrsh.dnsmgr.net>
next in thread | previous in thread | raw e-mail | index | archive | help
[-- Attachment #1 --] On Mon, Apr 16, 2001 at 12:39:56PM -0700, Rodney W. Grimes wrote: > > On Mon, Apr 16, 2001 at 09:06:23AM -0700, Rodney W. Grimes wrote: > > > > > Also it seems as if -YOU- are the maintainer of apache, so please can > > > you go fix it's abuse of nobody:nogroup. (Hint: running as nobody:nogroup > > > is _NOT_ the bug.) > > > > Well, arguably it is, because people persist in making files owned by > > nobody, and since apache runs as that user a webserver compromise > > gives access to all those files. If it ran as e.g. user www, then > > it's explicit which files it owns because that user is unlikely to be > > used randomly outside a webserver context. > > I will agree that the running of of apache as nobody:nogroup is an > arguable thing. But running it as www:www and having all the files > _owned_ and _grouped_ www:www only solves the NFS issue, and does > not address the other problem of having your webserver being able > to nuked it's own content via all too common cgi bugs. Yeah, wwwserver might be better, with a default wwwdata user provided to make it clear what data files should be owned by. Kris [-- Attachment #2 --] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE620tuWry0BWjoQKURAhr7AJ98k9AL+pUn3KoWD9SsQzW0aptUhwCg/Abq Lw3LwTPdsJMXOFVCsT5a9rs= =4NIp -----END PGP SIGNATURE-----
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010416124342.A11258>