Re: enabling suexec with debian apache [solved]

To: Robert Varga <robi@piros.zold.net>
Cc: Adam Shand <larry@alaska.net>, Marko Cehaja <marko@magikomik.de>, Debian User List <debian-user@lists.debian.org>
Subject: Re: enabling suexec with debian apache [solved]
From: Ethan Benson <erbenson@alaska.net>
Date: Mon, 21 Feb 2000 18:33:09 -0900
Message-id: <[🔎] 20000221183309.A8604@plato.localdomain.local>
In-reply-to: <[🔎] Pine.LNX.3.96.1000221212726.13373E-100000@piros.zold.net>; from robi@piros.zold.net on Mon, Feb 21, 2000 at 09:33:53PM +0100
References: <[🔎] Pine.LNX.4.21.0002211121250.32698-100000@heyzeus.alaska.net> <[🔎] Pine.LNX.3.96.1000221212726.13373E-100000@piros.zold.net>

On Mon, Feb 21, 2000 at 09:33:53PM +0100, Robert Varga wrote:
> > 
> If there is an exploitable cgi, then there is web access to all of the
> owning user's files. If it is not run via the suEXEC mechanism, then the
> permissions are that of www-data, which are close to nothing.
  ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

this is not true, on every debian [potato] system i have installed
/var/www is owned by www-data.www-data which means if the web pages
are stored here gaining www-data privileges means you can completely
replace the entire site.  (unless of course the admin had chowned
this)

also /var/lib/dhelp is chowned www-data.www-data everytime its
upgraded/installed. 

I personally think this is insane and brought it up on -devel where
there was a little discussion but certainly no dicision to change
it. 

-- 
Ethan Benson

Reply to:

References:
- Re: enabling suexec with debian apache [solved]
  - From: Adam Shand <larry@alaska.net>
- Re: enabling suexec with debian apache [solved]
  - From: Robert Varga <robi@piros.zold.net>

Prev by Date: Re: Linux and PS/2
Next by Date: GRUB Anyone?
Previous by thread: Re: enabling suexec with debian apache [solved]
Next by thread: Re: enabling suexec with debian apache [solved]
Index(es):
- Date
- Thread