Bug#499191: Possible security issues

To: 499191@bugs.debian.org
Subject: Bug#499191: Possible security issues
From: Alexander Prinsier <aphexer@mailhaven.com>
Date: Mon, 02 Feb 2009 00:58:50 +0100
Message-id: <[🔎] 4986373A.7000502@mailhaven.com>
Reply-to: Alexander Prinsier <aphexer@mailhaven.com>, 499191@bugs.debian.org
In-reply-to: <497AF449.1070600@mailhaven.com>
References: <497AF449.1070600@mailhaven.com>

I have a patch prepared. Attached is what I got so far, and seems to be
working fine. (It's the modified .dpatch file, not a patch to a dpatch).

So now a third line in /etc/apache2/suexec/www-data is supported, being
a cgi_docroot. Scripts inside this cgi_docroot, and owned by root are
allowed to be executed by the target user.

I believe this addition will be very useful. On the other hand I
understand you want to stick to suexec as close as possible. You have to
realize though that many people patch suexec themselves because their
distro doesn't deliver something more usable. It's probably more secure
to have one widely used patched version inside the distro than having
many different locally patched versions.

Alexander

Reply to:

Follow-Ups:
- Bug#499191: Possible security issues
  - From: Alexander Prinsier <aphexer@mailhaven.com>

Prev by Date: [bts-link] source package apache2
Next by Date: Bug#499191: Possible security issues
Previous by thread: [bts-link] source package apache2
Next by thread: Bug#499191: Possible security issues
Index(es):
- Date
- Thread