[cgiwrap-users] RE: Apache suexec (auxgroup minimum gid)
Brought to you by:
nneul
Menu
▾
▴
[cgiwrap-users] RE: Apache suexec (auxgroup minimum gid)
|
From: Neulinger, N. <nn...@um...> - 2001-10-30 15:22:12
|
I have just released cgiwrap-3.7.1 which adds a --with-minimum-gid option to cgiwrap that checks both primary gid and auxilliary gids. It is not enabled by default to keep behavior same as previous releases. I would tend to agree with the comments below though, not really a big issue, but simple enough to add the optional check. New tars should show up on the sourceforge project file list... http://sourceforge.net/project/showfiles.php?group_id=8209 -- Nathan > -----Original Message----- > From: Pavel Kankovsky [mailto:pe...@ar...] > Sent: Friday, October 26, 2001 6:33 AM > To: Stefanos Harhalakis > Cc: bu...@se... > Subject: Re: Apache suexec > > > On Wed, 24 Oct 2001, Stefanos Harhalakis wrote: > > > Suppose we have mingid==100 and a user with gid==0 which > belongs to groups > > 123,234,345. Suexec will no execute and script for this user. > > > > Now suppose we have the same user with gid==123 which > belongs to groups0 > > ,234,345. Suexec will execute any cgi without problem. The > running cgi will > > be a member of all those groups. > > suexec does not check supplementary groups. It could do it > but I do not > think it is a serious problem--the motivation behind the checks is to > avoid accidental invocation of CGI programs running under > root or other > special accounts. > > --Pavel Kankovsky aka Peak [ Boycott > Microsoft--http://www.vcnet.com/bms ] > "Resistance is futile. Open your source code and prepare for > assimilation." > |
