From owner-cvs-all Mon Apr 16 12:44: 9 2001 Delivered-To: cvs-all@freebsd.org Received: from obsecurity.dyndns.org (adsl-63-207-60-27.dsl.lsan03.pacbell.net [63.207.60.27]) by hub.freebsd.org (Postfix) with ESMTP id 5BF8037B43C; Mon, 16 Apr 2001 12:44:02 -0700 (PDT) (envelope-from kris@obsecurity.org) Received: by obsecurity.dyndns.org (Postfix, from userid 1000) id C7C07678B4; Mon, 16 Apr 2001 12:43:42 -0700 (PDT) Date: Mon, 16 Apr 2001 12:43:42 -0700 From: Kris Kennaway To: "Rodney W. Grimes" Cc: Kris Kennaway , "Andrey A. Chernov" , cvs-committers@FreeBSD.org, cvs-all@FreeBSD.org Subject: Re: cvs commit: ports/www/mnoGoSearch-current Makefile Message-ID: <20010416124342.A11258@xor.obsecurity.org> References: <20010416121634.E10023@xor.obsecurity.org> <200104161939.MAA53486@gndrsh.dnsmgr.net> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="mYCpIKhGyMATD0i+" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <200104161939.MAA53486@gndrsh.dnsmgr.net>; from freebsd@gndrsh.dnsmgr.net on Mon, Apr 16, 2001 at 12:39:56PM -0700 Sender: owner-cvs-all@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG --mYCpIKhGyMATD0i+ Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Mon, Apr 16, 2001 at 12:39:56PM -0700, Rodney W. Grimes wrote: > > On Mon, Apr 16, 2001 at 09:06:23AM -0700, Rodney W. Grimes wrote: > >=20 > > > Also it seems as if -YOU- are the maintainer of apache, so please can > > > you go fix it's abuse of nobody:nogroup. (Hint: running as nobody:no= group > > > is _NOT_ the bug.) > >=20 > > Well, arguably it is, because people persist in making files owned by > > nobody, and since apache runs as that user a webserver compromise > > gives access to all those files. If it ran as e.g. user www, then > > it's explicit which files it owns because that user is unlikely to be > > used randomly outside a webserver context. >=20 > I will agree that the running of of apache as nobody:nogroup is an > arguable thing. But running it as www:www and having all the files > _owned_ and _grouped_ www:www only solves the NFS issue, and does > not address the other problem of having your webserver being able > to nuked it's own content via all too common cgi bugs. Yeah, wwwserver might be better, with a default wwwdata user provided to make it clear what data files should be owned by. Kris --mYCpIKhGyMATD0i+ Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE620tuWry0BWjoQKURAhr7AJ98k9AL+pUn3KoWD9SsQzW0aptUhwCg/Abq Lw3LwTPdsJMXOFVCsT5a9rs= =4NIp -----END PGP SIGNATURE----- --mYCpIKhGyMATD0i+-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe cvs-all" in the body of the message