Re: [mod-security-users] Patch to avoid mod_security execute upload approve scripts with suEXEC
Brought to you by:
victorhora,
zimmerletw
From: Ivan R. <iv...@we...> - 2005-12-19 19:16:49
|
mb...@co... wrote: > Hi, > > this is also a followup to Justin Grindea and "clamav perl scrip and su_exec". > > We faced the same problem and considered it a design error for an upload approve > script to be called using suEXEC for these two reasons: > > 1. suEXEC executes CGIs as different users, which might > not have access to the uploaded files (which are usually > in /tmp and owned by www-data:www-data, permissions 600) > > 2. suEXEC check 18, "Is the target user/group the same as > the program's user/group?" means for us that we would need > as many upload approve scripts as virtual hosts, each > owned by the user the respective virtual host runs his > CGIs under. Hi Michael, You (and other users that complained in the past) have convinced me. In 1.9.2 there will be a compile-time switch DISABLE_SUEXEC to take SuEXEC away. If that works well I will make it the default option in 2.x. Thank you for your input. -- Ivan Ristic Apache Security (O'Reilly) - http://www.apachesecurity.net Open source web application firewall - http://www.modsecurity.org |