The following reply was made to PR config/1347; it has been noted by GNATS.
From: Marc Slemko <[EMAIL PROTECTED]> To: Apache bugs database <[EMAIL PROTECTED]> Cc: Subject: Re: config/1347: Serving pages as root. (fwd) Date: Sat, 1 Nov 1997 14:19:01 -0700 (MST) ---------- Forwarded message ---------- Date: Sat, 1 Nov 1997 14:12:57 -0700 From: Bob Ross <[EMAIL PROTECTED]> To: [EMAIL PROTECTED] Subject: Re: config/1347: Serving pages as root. Thanks, I'll have to re-write the cgi to work in the back ground instead of from a form. Would not be to much trouble to set a cron to look for a file and then process the information in it. Thank for your reply. Bob Ross -----Original Message----- From: [EMAIL PROTECTED] <[EMAIL PROTECTED]> To: [EMAIL PROTECTED] <[EMAIL PROTECTED]>; [EMAIL PROTECTED] <[EMAIL PROTECTED]>; [EMAIL PROTECTED] <[EMAIL PROTECTED]> Date: Saturday, November 01, 1997 1:54 PM Subject: Re: config/1347: Serving pages as root. >Synopsis: Serving pages as root. > >State-Changed-From-To: open-closed >State-Changed-By: marc >State-Changed-When: Sat Nov 1 12:59:05 PST 1997 >State-Changed-Why: >What you are doing was a very poor security practice before >and is still a very poor security practice. > >You could make your CGI setuid root, make a special group >for your server, and then make it only group (ie. not world) >executable. That still isn't very smart security practice, >because it means if anyone compromises your http server >they can likely gain root. > >If you wish to disable the check for running as uid0, >it is explained clearly how to do so in the error message >generated when you try. This will leave you with something >just as insecure as your old setup. > >We really can't go step by step through the ways you can >accomplish what you want; you could try asking in the >appropriate Usenet newsgroup, but be aware that it takes >a good bit of knowledge about security to do what you want >safely. >
