You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@httpd.apache.org by Brian Behlendorf <br...@hyperreal.com> on 1996/06/06 08:52:04 UTC
Re: WWW Form Bug Report: "cgi-bin scripts get run as root despite conf" on Irix (fwd)
(the anti-spam measures on hyperreal caught this since Jerry's not on this
list)
---------- Forwarded message ----------
Date: Wed, 5 Jun 1996 13:54:31 -0600 (MDT)
From: "Jerry G. DeLapp" <jg...@lanl.gov>
To: "Robert S. Thau" <rs...@ai.mit.edu>
Cc: new-httpd@hyperreal.com
Subject: Re: WWW Form Bug Report: "cgi-bin scripts get run as root despite conf" on Irix
>>>>> You wrote me:
Robert> Hi. In re your recent report on CGI scripts running from a server on
Robert> inetd:
Robert> The User and Group directives in the config files are not honored when
Robert> the server is run from inetd --- the assumption is that you will have
Robert> set the correct user to run as in the httpd line in inetd.conf. You
Robert> may well be running the server as root generally...
The documentation that ships with the server code needs to say this, then, in
REALLY BIG LETTERS, because I sure believed it when it said it would
setuid/gid before it did anything. Those docs didn't say squat that I saw
about ignoring the conf file when run from inetd. It was only by chance
that I noticed that my system security had been shot to heck by your server.
I think this behavior is dead flat wrong.
I consider this sort of asymmetric behavior to be creaping featurism of the
worst kind (i.e. I think it is a bug). If I wanted the server to run as root,
I sure would not have put "nobody" into the conf file, and if I wanted a
special case server, I would start it with a different config file. Do other
servers (e.g. CERN) behave in this fashion?
This also creates all kinds of problems. I can't just restart with nobody
as the inetd user because the log files are owned by root, and frankly, I'd
rather they were owned by root instead of nobody!!!. Likewise, the
directories in the install are all owned by sys, which makes the initial
creation of new log files problematic.
Any chance y'all will reconsider this bit of wierdness, or am I just wasting
my breath?
--
Jerry DeLapp -- CIC-5 Advanced Networking Team -- (505)665-4531 <jg...@lanl.gov>
Bits and bytes, as fast as we can blast 'em. -- The Advanced Networking Team