aolserver || cgiwrap and (was Re: www-data policy?)

To: John Goerzen <jgoerzen@progenylinux.com>, debian-policy@lists.debian.org
Subject: aolserver || cgiwrap and (was Re: www-data policy?)
From: Jim Lynch <jim@laney.edu>
Date: Thu, 17 Aug 2000 20:09:39 -0700
Message-id: <[🔎] 200008180309.UAA11945@earth.laney.edu>
In-reply-to: Your message of "17 Aug 2000 17:47:49 CDT." <[🔎] sa7og2ra4iy.fsf@indy.progenylinux.com>
References: <[🔎] sa7og2ra4iy.fsf@indy.progenylinux.com>

John,

Hi, when you find it, let me know... when I took over cgiwrap, I must have
continued the existing arrangement to have it use www-data.www-data. Some-
one has filed a bug indicating cgiwrap won't work with their web server that
doesn't run as www-data.www-data. 

I have considered using some method of telling cgiwrap who the web server
is running as, but I think that would pose a security risk inasmuch as
cgiwrap itself is setuid root.

Because cgiwrap is setuid root, I request a code review of it.

Because, after reading one .c file in aolserver and finding a major
buffer overrun potential (aolserver3_0/nsd/dstring.c,Ns_DStringPrintf()) 
(i.e., the first and only aolserver source file I ever read showed a bug 
of this proportion), I request a code review of that too.

Anyone? I wrote an lclint front end that cats together lclint reports of 
all the files. Now, if I can just remember where I put it :)

-Jim

---
Jim Lynch       Finger for pgp key
as Laney College CIS admin:  jim@laney.edu   http://www.laney.edu/~jim/
as Debian developer:         jwl@debian.org  http://www.debian.org/~jwl/

Reply to:

References:
- www-data policy?
  - From: John Goerzen <jgoerzen@progenylinux.com>

Prev by Date: www-data policy?
Next by Date: Re: FHS compliance (was Re: Intent To Split: netbase)
Previous by thread: www-data policy?
Next by thread: Re: www-data policy?
Index(es):
- Date
- Thread