But how would someone other than root or httpd write to the folders. In other words, for the cgi/perl script you mentioned, how would it be written in those dir owned by httpd. Remember under /web we have a folder owned by httpd and grouped as httpd with r-x only. Am I missing something,,,, KAL -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of shimi Sent: Sunday, June 24, 2001 4:32 AM To: [EMAIL PROTECTED] Subject: RE: [cobalt-developers] Security issues with running files owned by httpd under a virtual site. On Sat, 23 Jun 2001, KAMRY wrote: > But can't they have privileges to the httpd demon and probably do some stuff > on that demon. > > Kal > I don't recall Apache having any control system or any interactive session or whatever that can be controlled from the outside... but now that you mentioned it, I do think of a problem that may accour. Someone who played more than me on this is welcome to tell what this CGI script will do: #!/bin/sh killall -9 httpd indeed looks serious to me, even with CGIwrap (as you can do exec from SSI as well.) - ideas, anyone? - shimi _______________________________________________ cobalt-developers mailing list [EMAIL PROTECTED] http://list.cobalt.com/mailman/listinfo/cobalt-developers _________________________________________________________ Do You Yahoo!? Get your free @yahoo.com address at http://mail.yahoo.com _______________________________________________ cobalt-developers mailing list [EMAIL PROTECTED] http://list.cobalt.com/mailman/listinfo/cobalt-developers
