>Number: 4178 >Category: suexec >Synopsis: Suexec allows insecure umask >Confidential: no >Severity: serious >Priority: medium >Responsible: apache >State: open >Class: sw-bug >Submitter-Id: apache >Arrival-Date: Wed Mar 31 06:30:01 PST 1999 >Last-Modified: >Originator: [EMAIL PROTECTED] >Organization: apache >Release: 1.3.6 >Environment: SunOS hen.doc.ic.ac.uk 5.6 Generic_105181-03 sun4u sparc SUNW,Ultra-1 >Description: Suexec does not set the umask before running a cgi script.
Files created by a naive cgi script may inadvertantly have overly generous permissions. An appropriate default mask would be 077. A configuration option (--suexec-umask=) could be introduced. >How-To-Repeat: >Fix: >Audit-Trail: >Unformatted: [In order for any reply to be added to the PR database, ] [you need to include <[EMAIL PROTECTED]> in the Cc line ] [and leave the subject line UNCHANGED. This is not done] [automatically because of the potential for mail loops. ] [If you do not include this Cc, your reply may be ig- ] [nored unless you are responding to an explicit request ] [from a developer. ] [Reply only with text; DO NOT SEND ATTACHMENTS! ]
