On Thu, 2004-10-07 at 15:04 -0400, Alan Cox wrote: > On Thu, Oct 07, 2004 at 07:58:20PM +0100, Joe Orton wrote: > > It's not CGI scripts which is the issue, the issue is whether or not an > > OpenSSL buffer overflow gives you remote root or just the privileges of > > the "apache" user as it currently does. > > That would be a problem yes. You'd end up with apache able to access any > files in the system. I guess mod_webdav should never have been mod_ Definitely agreed there. It should work like ssh+sftp, where ssh execs a helper program running under the user's uid. Doing things this way, in a separate process, also allows the SELinux policy to confine them separately.
Attachment:
signature.asc
Description: This is a digitally signed message part
