aolserver || cgiwrap and (was Re: www-data policy?)
John,
Hi, when you find it, let me know... when I took over cgiwrap, I must have
continued the existing arrangement to have it use www-data.www-data. Some-
one has filed a bug indicating cgiwrap won't work with their web server that
doesn't run as www-data.www-data.
I have considered using some method of telling cgiwrap who the web server
is running as, but I think that would pose a security risk inasmuch as
cgiwrap itself is setuid root.
Because cgiwrap is setuid root, I request a code review of it.
Because, after reading one .c file in aolserver and finding a major
buffer overrun potential (aolserver3_0/nsd/dstring.c,Ns_DStringPrintf())
(i.e., the first and only aolserver source file I ever read showed a bug
of this proportion), I request a code review of that too.
Anyone? I wrote an lclint front end that cats together lclint reports of
all the files. Now, if I can just remember where I put it :)
-Jim
---
Jim Lynch Finger for pgp key
as Laney College CIS admin: jim@laney.edu http://www.laney.edu/~jim/
as Debian developer: jwl@debian.org http://www.debian.org/~jwl/
Reply to: