Hosting Provided By

Bug#431048: suexec permissions are DANGEROUS

From: Stefan Fritsch <sf(at)debian.org>
Date: Fri Jun 29 2007 - 12:25:05 EDT

On Freitag, 29. Juni 2007, James Le Cuirot wrote:
> This allows ANYONE to run suexec as root. I can't believe this has
> slipped through. As the Apache docs very clearly state over at
> http://httpd.apache.org/docs/2.2/suexec.html, they should be set
> with...

This problem isn't very severe. suexec checks which user executed it and aborts if it wasn't www-data. So the permissions are just an additional safeguard against bugs in suexec.

But I agree that this should be fixed (probably in etch r2).

Cheers,
Stefan

-- 
To UNSUBSCRIBE, email to debian-apache-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org


application/pgp-signature attachment: This is a digitally signed message part.

Received on Fri Jun 29 12:40:23 2007

This message: [ Message body ]
Next message: Debian Bug Tracking System: "Processed: tagging 431048"
Previous message: Debian Bug Tracking System: "Processed: severity of 431048 is important, tagging 431048"
In reply to: James Le Cuirot: "Bug#431048: suexec permissions are DANGEROUS"
Next in thread: Debian Bug Tracking System: "Bug#431048: marked as done (suexec permissions are DANGEROUS)"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Fri Jun 29 2007 - 12:50:02 EDT