[
https://issues.apache.org/jira/browse/TS-203?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13875883#comment-13875883
]
Leif Hedstrom commented on TS-203:
----------------------------------
When we have config files being Lua script, this becomes even more problematic.
Being able to modify the Lua script when compromising e.g. traffic_server could
allow arbitrary code execution.
> config files ownership
> ----------------------
>
> Key: TS-203
> URL: https://issues.apache.org/jira/browse/TS-203
> Project: Traffic Server
> Issue Type: Bug
> Components: Build
> Reporter: Leif Hedstrom
> Priority: Minor
> Fix For: 5.0.0
>
>
> It's semi-odd that the admin user (nobody) is also the user as to which
> traffic_server process changes it's euid to. This means that the
> traffic_server process has write permissions on the config files.
--
This message was sent by Atlassian JIRA
(v6.1.5#6160)
