You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@httpd.apache.org by Rob Hartill <ro...@imdb.com> on 1996/06/04 23:41:23 UTC
Re: WWW Form Bug Report: "cgi-bin scripts get run as root despite conf" on Irix
thanks. I'll pass the information on.
>Submitter: jgd@lanl.gov
>Operating system: Irix, version: 5.3
>Version of Apache Used: 1.1b2
>Extra Modules used:
>URL exhibiting problem:
>
>Symptoms:
>--
>If you launch httpd from inetd as follows:
>http stream tcp nowait root /usr/local/apache_1.1b2/etc/httpd httpd -f /usr/local/apache_1.1b2/conf/httpd.conf
>
>And with a httpd.conf that says
>User nobody
>Group nogroup
>
>the httpd runs cgi-bin scripts as root as evidenced by my ability to read /etc/shadow
>with a simple cat script in cgi-bin, despite the following permissions...
>
>-r-------- 1 root sys 508 Jun 3 16:07 /etc/shadow
>
>
>It appears that the beta server is not properly setting the reuid before running
>a cgi-bin script! It can be argued that the launch is incorrect, since the user should be
>`nobody' in the inetd.conf data, but the config file should be respected (IMHO).
>
>--
>
>Backtrace:
>--
>
>--
--
Rob Hartill (robh@imdb.com)
The Internet Movie Database (IMDb) http://www.imdb.com/
...more movie info than you can poke a stick at.