#1 Caller uid check feature for 2.0's validate

open
nobody
None
5
2003-01-16
2003-01-16
Jaeho Shin
No

For better security, I've added some code to
``validate.c'' for checking the uid who called
``validate''. Similar to what Apache's suEXEC does, it
compares the real uid with the predefined caller uid.
Proceeds validating if they two match, or halts with an
error message otherwise. With this, we can restrict the
use of ``validate'' only to the user who's running Apache.

Discussion

  • Logged In: YES
    user_id=1172462
    Originator: NO

    You can do that using plain permissions if I'm not mistaking. My Apache runs as group 'nobody', so permissions 'validate' are
    -rwsr-x--- 1 root nobody 8168 May 29 19:30 /usr/local/sbin/validate
    so it get executed setuid root, but only for users in the 'nobody'-group (and root, of course). Others are denied access.