no calls to seteuid in source tree?

[Aidan Cully <ai...@panix.com>]

A quick text-search through the v1.3.3 source seems to indicate that
while apache is very careful to set the _real_ userid to the server
whose connection we're processing, it never sets the _effective_
userid to the real one.  I'm fairly green to the apache source, so I
expect I'm dead wrong on this, but I'd appreciate it if someone
could tell me either why I'm mistaken, and the effective userid _is_
set, or why this doesn't open up huge root holes in mod_perl, or
executables run without SuEXEC, or symblinks to user-unreadable files
across the entire system..

TIA,
--aidan
-- 
Aidan Cully       "You can't find your waitress/ With a geiger counter..
Panix Staff        She hates you and your friends and you just
aidan@panix.com    Can't get served without her.."	-- Tom Waits

Re: no calls to seteuid in source tree?

[Aidan Cully <ai...@panix.com>]

On Fri, Nov 20, 1998 at 03:57:05PM, Marc Slemko said:
> On Fri, 20 Nov 1998, Aidan Cully wrote:
> 
> > A quick text-search through the v1.3.3 source seems to indicate that
> > while apache is very careful to set the _real_ userid to the server
> > whose connection we're processing, it never sets the _effective_
> 
> setuid() sets the effective, real, and saved UIDs if the caller is root.

Yes, of course..  silly of me.
--aidan

Re: no calls to seteuid in source tree?

[Marc Slemko <ma...@worldgate.com>]

On Fri, 20 Nov 1998, Aidan Cully wrote:

> A quick text-search through the v1.3.3 source seems to indicate that
> while apache is very careful to set the _real_ userid to the server
> whose connection we're processing, it never sets the _effective_

setuid() sets the effective, real, and saved UIDs if the caller is root.