Date: Mon, 11 Apr 2005 17:37:06 +0200 From: Jilles Tjoelker <jilles@stack.nl> To: Jan Grant <Jan.Grant@bristol.ac.uk> Cc: freebsd-security@freebsd.org Subject: Re: /etc/rc.bsdextended: am I misunderstanding this..? Message-ID: <20050411153706.GA62233@stack.nl> In-Reply-To: <Pine.GSO.4.61.0504111434030.18516@mail.ilrt.bris.ac.uk> References: <Pine.GSO.4.61.0504111434030.18516@mail.ilrt.bris.ac.uk>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, Apr 11, 2005 at 02:45:31PM +0100, Jan Grant wrote:
> Can someone clear something up for me?
> [[[
> # For apache to read user files, the ruleadd must give
> # it permissions by default.
> ####
> ${CMD} add subject uid 80 object not uid 80 mode rxws;
> ${CMD} add subject gid 80 object not gid 80 mode rxws;
> ]]]
> Doesn't the above mean that an apache user (eg, user-supplied CGI
> process, PHP script, etc) has the ability to read (and write!) anything
> in the filesystem?
MAC restrictions apply in addition to normal restrictions, i.e. an
access is allowed only if both the normal filesystem permissions and
ugidfw permit it.
--
Jilles Tjoelker
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20050411153706.GA62233>