DAV
Colin Walters
walters at redhat.com
Thu Oct 7 19:14:23 UTC 2004
On Thu, 2004-10-07 at 15:04 -0400, Alan Cox wrote:
> On Thu, Oct 07, 2004 at 07:58:20PM +0100, Joe Orton wrote:
> > It's not CGI scripts which is the issue, the issue is whether or not an
> > OpenSSL buffer overflow gives you remote root or just the privileges of
> > the "apache" user as it currently does.
>
> That would be a problem yes. You'd end up with apache able to access any
> files in the system. I guess mod_webdav should never have been mod_
Definitely agreed there. It should work like ssh+sftp, where ssh execs
a helper program running under the user's uid. Doing things this way,
in a separate process, also allows the SELinux policy to confine them
separately.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
URL: <http://listman.redhat.com/archives/fedora-devel-list/attachments/20041007/3aef237f/attachment.sig>
More information about the fedora-devel-list
mailing list