You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@httpd.apache.org by Rob Hartill <ro...@imdb.com> on 1996/06/04 23:41:23 UTC

Re: WWW Form Bug Report: "cgi-bin scripts get run as root despite conf" on Irix

thanks. I'll pass the information on.

>Submitter: jgd@lanl.gov
>Operating system: Irix, version: 5.3
>Version of Apache Used: 1.1b2
>Extra Modules used: 
>URL exhibiting problem: 
>
>Symptoms:
>--
>If you launch httpd from inetd as follows:
>http    stream  tcp     nowait  root    /usr/local/apache_1.1b2/etc/httpd       httpd -f /usr/local/apache_1.1b2/conf/httpd.conf
>
>And with a httpd.conf that says
>User nobody
>Group nogroup
>
>the httpd runs cgi-bin scripts as root as evidenced by my ability to read /etc/shadow
>with a simple cat script in cgi-bin, despite the following permissions...
>
>-r--------    1 root     sys          508 Jun  3 16:07 /etc/shadow
>
>
>It appears that the beta server is not properly setting the reuid before running
>a cgi-bin script!  It can be argued that the launch is incorrect, since the user should be
>`nobody' in the inetd.conf data, but the config file should be respected (IMHO).
>
>--
>
>Backtrace:
>--
>
>--


-- 
Rob Hartill (robh@imdb.com)
The Internet Movie Database (IMDb)  http://www.imdb.com/
           ...more movie info than you can poke a stick at.