DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT <http://nagoya.apache.org/bugzilla/show_bug.cgi?id=15613>. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND INSERTED IN THE BUG DATABASE.
http://nagoya.apache.org/bugzilla/show_bug.cgi?id=15613 suexec requires annoyance condition (uid) of CGI dir/file Summary: suexec requires annoyance condition (uid) of CGI dir/file Product: Apache httpd-2.0 Version: 2.0.43 Platform: All OS/Version: All Status: NEW Severity: Major Priority: Other Component: mod_suexec AssignedTo: [email protected] ReportedBy: [EMAIL PROTECTED] Why does suexec require that the target (SuexecUserGroup) user is same as the user of CGI directory/file? If a CGI-script has security vulnerability, attacker can modify all CGI files (if target user == user of CGI file) or create new files in all CGI directory (if target user == user of CGI directory). Any daemon (not specific to Apache) should be run with user that is NOT same as contents owner. # Sorry for my stupid English. I'm Japanese. --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
