Date: Mon, 16 Apr 2001 12:43:42 -0700 From: Kris Kennaway <kris@obsecurity.org> To: "Rodney W. Grimes" <freebsd@gndrsh.dnsmgr.net> Cc: Kris Kennaway <kris@obsecurity.org>, "Andrey A. Chernov" <ache@nagual.pp.ru>, cvs-committers@FreeBSD.org, cvs-all@FreeBSD.org Subject: Re: cvs commit: ports/www/mnoGoSearch-current Makefile Message-ID: <20010416124342.A11258@xor.obsecurity.org> In-Reply-To: <200104161939.MAA53486@gndrsh.dnsmgr.net>; from freebsd@gndrsh.dnsmgr.net on Mon, Apr 16, 2001 at 12:39:56PM -0700 References: <20010416121634.E10023@xor.obsecurity.org> <200104161939.MAA53486@gndrsh.dnsmgr.net>
next in thread | previous in thread | raw e-mail | index | archive | help
--mYCpIKhGyMATD0i+ Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Mon, Apr 16, 2001 at 12:39:56PM -0700, Rodney W. Grimes wrote: > > On Mon, Apr 16, 2001 at 09:06:23AM -0700, Rodney W. Grimes wrote: > >=20 > > > Also it seems as if -YOU- are the maintainer of apache, so please can > > > you go fix it's abuse of nobody:nogroup. (Hint: running as nobody:no= group > > > is _NOT_ the bug.) > >=20 > > Well, arguably it is, because people persist in making files owned by > > nobody, and since apache runs as that user a webserver compromise > > gives access to all those files. If it ran as e.g. user www, then > > it's explicit which files it owns because that user is unlikely to be > > used randomly outside a webserver context. >=20 > I will agree that the running of of apache as nobody:nogroup is an > arguable thing. But running it as www:www and having all the files > _owned_ and _grouped_ www:www only solves the NFS issue, and does > not address the other problem of having your webserver being able > to nuked it's own content via all too common cgi bugs. Yeah, wwwserver might be better, with a default wwwdata user provided to make it clear what data files should be owned by. Kris --mYCpIKhGyMATD0i+ Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE620tuWry0BWjoQKURAhr7AJ98k9AL+pUn3KoWD9SsQzW0aptUhwCg/Abq Lw3LwTPdsJMXOFVCsT5a9rs= =4NIp -----END PGP SIGNATURE----- --mYCpIKhGyMATD0i+-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe cvs-all" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010416124342.A11258>