You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@httpd.apache.org by Aidan Cully <ai...@panix.com> on 1998/11/20 23:53:58 UTC
no calls to seteuid in source tree?
A quick text-search through the v1.3.3 source seems to indicate that
while apache is very careful to set the _real_ userid to the server
whose connection we're processing, it never sets the _effective_
userid to the real one. I'm fairly green to the apache source, so I
expect I'm dead wrong on this, but I'd appreciate it if someone
could tell me either why I'm mistaken, and the effective userid _is_
set, or why this doesn't open up huge root holes in mod_perl, or
executables run without SuEXEC, or symblinks to user-unreadable files
across the entire system..
TIA,
--aidan
--
Aidan Cully "You can't find your waitress/ With a geiger counter..
Panix Staff She hates you and your friends and you just
aidan@panix.com Can't get served without her.." -- Tom Waits
Re: no calls to seteuid in source tree?
Posted by Aidan Cully <ai...@panix.com>.
On Fri, Nov 20, 1998 at 03:57:05PM, Marc Slemko said:
> On Fri, 20 Nov 1998, Aidan Cully wrote:
>
> > A quick text-search through the v1.3.3 source seems to indicate that
> > while apache is very careful to set the _real_ userid to the server
> > whose connection we're processing, it never sets the _effective_
>
> setuid() sets the effective, real, and saved UIDs if the caller is root.
Yes, of course.. silly of me.
--aidan
Re: no calls to seteuid in source tree?
Posted by Marc Slemko <ma...@worldgate.com>.
On Fri, 20 Nov 1998, Aidan Cully wrote:
> A quick text-search through the v1.3.3 source seems to indicate that
> while apache is very careful to set the _real_ userid to the server
> whose connection we're processing, it never sets the _effective_
setuid() sets the effective, real, and saved UIDs if the caller is root.