Stefan Fritsch wrote:
> On Wednesday 04 February 2009, Alexander Prinsier wrote:
>> Well yeah, if you misconfigure your system, it's easy to bypass all
>> sorts of things :), like you illustrated below. (misconfigured
>> because you apparently allow the execution of any binary as any
>> user).
>
>
On Wednesday 04 February 2009, Alexander Prinsier wrote:
> Well yeah, if you misconfigure your system, it's easy to bypass all
> sorts of things :), like you illustrated below. (misconfigured
> because you apparently allow the execution of any binary as any
> user).
Considering that the majority o
Stefan Fritsch wrote:
> On Wednesday 04 February 2009, Alexander Prinsier wrote:
>>> You are just considering pure web servers. On a machine that has
>>> a web server running but is also used for other things, users'
>>> home directories will contain many things that are not readable
>>> by the use
On Wednesday 04 February 2009, Alexander Prinsier wrote:
> > You are just considering pure web servers. On a machine that has
> > a web server running but is also used for other things, users'
> > home directories will contain many things that are not readable
> > by the user www-data. If you have
Stefan Fritsch wrote:
>> If a user is allowed to create a php script that will be executed
>> as www-data, he can just go read everyone else's data (like a
>> config.php which includes passwords to databases etc), because
>> everyone else's data must be readable by www-data to get served by
>> apac
I haven't looked at your patch yet, but here are some more arguments.
On Saturday 24 January 2009, Alexander Prinsier wrote:
> > Not so. But this would mean that in many setups, any user would
> > be allowed to execute any root-owned program under the document
> > root that has mode +x as any _oth
Alexander Prinsier wrote:
> I have a patch prepared. Attached is what I got so far, and seems to be
> working fine. (It's the modified .dpatch file, not a patch to a dpatch).
And this is the file...
#! /bin/sh /usr/share/dpatch/dpatch-run
## 202_suexec-custom.dpatch by Stefan Fritsch
##
## All li
I have a patch prepared. Attached is what I got so far, and seems to be
working fine. (It's the modified .dpatch file, not a patch to a dpatch).
So now a third line in /etc/apache2/suexec/www-data is supported, being
a cgi_docroot. Scripts inside this cgi_docroot, and owned by root are
allowed to
> Not so. But this would mean that in many setups, any user would be
> allowed to execute any root-owned program under the document root
> that has mode +x as any _other_ user (above uid 100). This is
> something that no admin would expect. The restriction that suexec can
> only be executed by apac
9 matches
Mail list logo
