DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT <http://issues.apache.org/bugzilla/show_bug.cgi?id=28567>. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=28567 overly restrictive suexec makes for inflexible mass hosting security Summary: overly restrictive suexec makes for inflexible mass hosting security Product: Apache httpd-2.0 Version: 2.0.49 Platform: All URL: http://www.dollardns.net OS/Version: Linux Status: NEW Severity: Normal Priority: Other Component: support AssignedTo: [email protected] ReportedBy: [EMAIL PROTECTED] suexec checks to make sure that both the target uid AND gid matches the directory and program uid and gui. This is unnecessary, only the uid match check should be performed. An apache server can be made more secure if the entire /var/www/html/ directory and files belongs under the group apache runs as. Each /var/www/html/user/ directory and files belongs under the client user. No execute or write access is allowed to anybody but the user. No read access is allowed to anybody but the user and group. SuexecUserGroup is set to the user and the client group - NOT the group apache runs as. This way the user scripts cannot even read files in other user's directories, but apache can. --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
