[In order for any reply to be added to the PR database, ] [you need to include <[EMAIL PROTECTED]> in the Cc line ] [and leave the subject line UNCHANGED. This is not done] [automatically because of the potential for mail loops. ]
Synopsis: Potential group security hole with suexec State-Changed-From-To: open-closed State-Changed-By: brian State-Changed-When: Tue May 19 21:48:27 PDT 1998 State-Changed-Why: yeah, better never than late, eh? :) To be honest I don't see the security hole present here. The whole point of suexec is to put the same protections around the CGI that Unix puts around its users. A poorly written and exploitable CGI, under suexec, can do as much damage to the OS as the user whose userid it runs under can also do. This is not a chroot jail and doesn't try to be. If we were to implement a warning or check, chances are the volume of bug reports we'd get about it would overwhelm us, as everyone testing "suexec" for the first time will be someone who has wheel group membership (etc.) since they had to become root to install suexec. Thanks for the note, though, it was good food for thought.
