On 2020/04/07 09:01, Theo de Raadt wrote: > This is horrible, as a user can fill the /var filesystem.
they already can with /var/www/logs. On 2020/04/07 11:17, Bryan Steele wrote: > WIth FastCGI, perhaps I'm confused, but why do web applications need to > be inside the /var/www chroot? Can't they be anywhere, or even have a > seperate chroot directory? They can be, but slowcgi defaults are to chroot to /var/www and some cgi programs want access to files withing the web server's chroot directory. > Should we be handling things things that > are not in base? *shrug* > > Index: etc//mtree/4.4BSD.dist > > =================================================================== > > RCS file: /cvs/src/etc/mtree/4.4BSD.dist,v > > retrieving revision 1.314 > > diff -u -p -r1.314 4.4BSD.dist > > --- etc//mtree/4.4BSD.dist 29 Nov 2019 03:28:20 -0000 1.314 > > +++ etc//mtree/4.4BSD.dist 7 Apr 2020 14:37:15 -0000 > > @@ -749,6 +749,7 @@ var > > .. > > run type=dir uname=root gname=daemon > > mode=755 > > .. > > + tmp type=dir uname=root gname=wheel > > mode=01777 > > .. > > > > # ./var/audit > > > > this wasn't tested :)