DAV
Joe Orton
jorton at redhat.com
Thu Oct 7 18:58:20 UTC 2004
On Thu, Oct 07, 2004 at 12:51:36PM -0400, Alan Cox wrote:
> On Thu, Oct 07, 2004 at 05:41:38PM +0100, Joe Orton wrote:
> > > Your apache needs to have setfsuid rights, that is all
> >
> > Are you talking about capabilities or SELinux policy there? Does the
> > capability bit not then allow children to setfsuid(0) and write files as
> > root?
>
> You have control over how its inherited depending on whether you admit to
> being capability aware or not. In the sane case you'd turn it off when
> execing just as you make sure files all get closed.
It's not CGI scripts which is the issue, the issue is whether or not an
OpenSSL buffer overflow gives you remote root or just the privileges of
the "apache" user as it currently does.
joe
More information about the fedora-devel-list
mailing list