Date: Mon, 28 Jul 1997 20:16:53 +0000 (GMT) From: "Jonathan A. Zdziarski" <jonz@netrail.net> To: Vincent Poy <vince@mail.MCESTATE.COM> Cc: "[Mario1-]" <Mario1@PrimeNet.Com>, JbHunt <johnnyu@accessus.net>, Robert Watson <robert+freebsd@cyrus.watson.org>, Tomasz Dudziak <loco@onyks.wszib.poznan.pl>, security@FreeBSD.ORG Subject: Re: security hole in FreeBSD Message-ID: <Pine.BSF.3.95q.970728201621.121B-100000@netrail.net> In-Reply-To: <Pine.BSF.3.95.970728162423.3844B-100000@mail.MCESTATE.COM>
next in thread | previous in thread | raw e-mail | index | archive | help
I have mine set to root-owned and have had no problems. I also made sure my config files were root, otherwise you could change that to run as-root which is just as bad. ------------------------------------------------------------------------- Jonathan A. Zdziarski NetRail Incorporated Server Engineering Manager 230 Peachtree St. Suite 500 jonz@netrail.net Atlanta, GA 30303 http://www.netrail.net (888) - NETRAIL ------------------------------------------------------------------------- On Mon, 28 Jul 1997, Vincent Poy wrote: :On Mon, 28 Jul 1997, Jonathan A. Zdziarski wrote: : :=)As long as httpd and sessiond are owned by something other than what cgi :=)scripts run as you're safe, but if they are both nobody, you can replace :=)the binary...We had it happen to us once with v1.2 this is how I know. : : Hmmm, what should the owners be for those files? Since the apache :cgi scripts are owned by root as far as I can remember. : : :Cheers, :Vince - vince@MCESTATE.COM - vince@GAIANET.NET ________ __ ____ :Unix Networking Operations - FreeBSD-Real Unix for Free / / / / | / |[__ ] :GaiaNet Corporation - M & C Estate / / / / | / | __] ] :Beverly Hills, California USA 90210 / / / / / |/ / | __] ] :HongKong Stars/Gravis UltraSound Mailing Lists Admin /_/_/_/_/|___/|_|[____] : :
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.3.95q.970728201621.121B-100000>