The following reply was made to PR suexec/2868; it has been noted by GNATS.
From: Marc Slemko <[EMAIL PROTECTED]> To: Erich Stuntebeck <[EMAIL PROTECTED]> Cc: [EMAIL PROTECTED] Subject: Re: suexec/2868: Apache allows execution of setuid cgi's without suexec installed. Date: Tue, 18 Aug 1998 14:26:45 -0700 (PDT) On Tue, 18 Aug 1998, Erich Stuntebeck wrote: > So you are saying that the setuid bit should not be set on files, and > that suExec will automatically run the cgi as the user it is owned by? Yes, subject to the constraints listed in the documentation. suexec has nothing to do with the setuid bit on files. > > > Synopsis: Apache allows execution of setuid cgi's without suexec > installed. > > State-Changed-From-To: open-closed > State-Changed-By: marc > State-Changed-When: Tue Aug 18 13:25:26 PDT 1998 > State-Changed-Why: > Erm... yea, so? > > That is the way Unix has always worked. If a program is > setuid then it executes by the user it is setuid to. That > isn't a bug or a feature in Apache, but just the way things > are on Unix. > > Note that this also allows others to excute it setuid > to whatever user you setuid it to, which can lead to > security issues if your CGI isn't secure. >
