Dependency reciprocity : real world problem with httpd and httpd-suexec

Steve G linux_4ever at yahoo.com
Tue Sep 7 20:57:37 UTC 2004


>The problem is that during the transaction, httpd-suexec (which got pulled 
>in as a dependency) got installed first, outputting the message "apache 
>group doesn't exist, using root"... BAD!

Really bad. I would think this bug needs fast attention. If you download a
package from a 3rd party that has buffer overflows and is setgid, you now have a
buggy program with buffer overflows running as root. Any setgid installation that
fails should never revert to root, it should fail immediately and let the admin
take care of it.

Was this filed in bugzilla?

-Steve Grubb


		
__________________________________
Do you Yahoo!?
Yahoo! Mail is new and improved - Check it out!
http://promotions.yahoo.com/new_mail





More information about the fedora-devel-list mailing list