[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: exploring debian's users and groups



On Sun, Feb 03, 2002 at 11:29:07PM +0100, Manfred Wassmann wrote:
> Norbert Veber <nveber@debian.org> writes:
> 
> [...]
> 
> > or that no file must be owned by [...] "www-data", 
> 
> No way.  If apache runs as www-data and you are using things like
> mod_dav (WebDAV), then apache must have full access to any html
> documents an directories to be maintained via WebDAV.  Ie they *must*
> be owned by www-data.
 
Thats pretty insecure especially if you allow users or virtual hosts to
run cgi scripts without suexec.  They could run cgi scripts that modify
any www-data owned file.  One would assume that webdav could also make
use of an suexec-like mechanism to overcome this limitation (though I
know nothing about dav).

Be that as it may, I was talking in the context of debian packages.  Ie.
they shouldnt provide any files owned by www-data, what the
administrator does after that is his problem :)

Thanks,

Norbert

Attachment: pgptwaT8SzKwb.pgp
Description: PGP signature


Reply to: