[sclug] Apache question
James Fidell
james at cloud9.co.uk
Sun Nov 7 23:23:01 UTC 2004
Quoting Tom Dawes-Gamble (tmdg at tmdg.co.uk):
> On Sun, 2004-11-07 at 13:14, Pieter Claassen wrote:
> > Hello All,
> >
> > Here is an open question regarding Apache that somebody might have some
> > philosophical or technical light to shed on:
> >
> > So, here is the question:
> > 1. Does anybody know of a way for apache to use the filesystem's
> > underlying permissions to determine if user X has the right to download
> > or upload a file? If the file has worldwide rw rights, then anybody can
> > get to it (I assume uploads via webdav)
> > 2. Might this be most easily achieved to switch UID/GID of the apache
> > process on authentication to that of the authentication user?
>
> I think the only way to do this would be to
>
> 1) Authenticate the user against /etc/passwd.
> 2) switch user using setuid.
> 3) server the page.
> 4) switch user back to original user.
>
> However to make that happen one needs to run apache as root. Personally
> I would not want to go there.
I wouldn't go there either, as if anything happens between 2) & 4) that
allows a remote user to run code, there's always the chance they might
be able to become root.
Better to just terminate the instance of apache instead of 4). There's the
overhead of spawning another instance from the main server, but such is life.
James
More information about the Sclug
mailing list