Bug#431048: suexec permissions are DANGEROUS

To: James Le Cuirot <chewi@aura-online.co.uk>, 431048@bugs.debian.org
Subject: Bug#431048: suexec permissions are DANGEROUS
From: Stefan Fritsch <sf@debian.org>
Date: Fri, 29 Jun 2007 18:25:05 +0200
Message-id: <[🔎] 200706291825.14967.sf@debian.org>
Reply-to: Stefan Fritsch <sf@debian.org>, 431048@bugs.debian.org
In-reply-to: <[🔎] 20070629092106.39161e62@rhapsody>
References: <[🔎] 20070629092106.39161e62@rhapsody>

On Freitag, 29. Juni 2007, James Le Cuirot wrote:
> This allows ANYONE to run suexec as root. I can't believe this has
> slipped through. As the Apache docs very clearly state over at
> http://httpd.apache.org/docs/2.2/suexec.html, they should be set
> with...

This problem isn't very severe. suexec checks which user executed it 
and aborts if it wasn't www-data. So the permissions are just an 
additional safeguard against bugs in suexec.

But I agree that this should be fixed (probably in etch r2).

Cheers,
Stefan

Attachment: signature.asc
Description: This is a digitally signed message part.

Reply to:

References:
- Bug#431048: suexec permissions are DANGEROUS
  - From: James Le Cuirot <chewi@aura-online.co.uk>

Prev by Date: Processed: severity of 431048 is important, tagging 431048
Next by Date: Processed: tagging 431048
Previous by thread: Bug#431048: suexec permissions are DANGEROUS
Next by thread: Processed: severity of 431048 is important, tagging 431048
Index(es):
- Date
- Thread