Date: Mon, 16 Apr 2001 09:28:10 -0700 (PDT) From: "Rodney W. Grimes" <freebsd@gndrsh.dnsmgr.net> To: ache@nagual.pp.ru (Andrey A. Chernov) Cc: cvs-committers@FreeBSD.org, cvs-all@FreeBSD.org Subject: Re: cvs commit: ports/www/mnoGoSearch-current Makefile Message-ID: <200104161628.JAA52878@gndrsh.dnsmgr.net> In-Reply-To: <20010416201707.B2726@nagual.pp.ru> from "Andrey A. Chernov" at "Apr 16, 2001 08:17:08 pm"
next in thread | previous in thread | raw e-mail | index | archive | help
> On Mon, Apr 16, 2001 at 09:06:23 -0700, Rodney W. Grimes wrote: > > The whole reason of running apache as nobody.nogroup is so that it can > > not access a file of any type unless it is world accessable. The mistake > > Many others will disagree with you. Consider f.e. guestbook which needs > _write_ access from Apache-running CGIs. I.e. "can not access any file > which is not belongs to processing using Apache or its CGIs". The can disagree all they want, the facts remain, nobody and nogroup belong to the domain of the NFS sub-system, and anyone using them for anything else is just creating borked code. > > > Does apache need write access to this hierarchy? If not a simple > > Yes, of course. Not Apache, but its CGI's, i.e. search engine which is the > port (running as nobody.nogroup too, because CGI). Search engines shouldn't need write access to anything... > > Also it seems as if -YOU- are the maintainer of apache, so please can > > you go fix it's abuse of nobody:nogroup. (Hint: running as nobody:nogroup > > is _NOT_ the bug.) > > It breaks setups for too many peoples, so require testing in many variants > and setups I don't have access to, nearly all write access CGIs will be > broken, so at least all such ports needs be fixed by someone who will > introduce this change. BTW, I am open to review patches from such hero. It's time to break them... this is a security hole for anyone running NFS. -- Rod Grimes - KD7CAX @ CN85sl - (RWG25) rgrimes@gndrsh.dnsmgr.net To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe cvs-all" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200104161628.JAA52878>