The following reply was made to PR general/2580; it has been noted by GNATS.
From: Rob Saccoccio <[EMAIL PROTECTED]>
To: "'[EMAIL PROTECTED]'" <[EMAIL PROTECTED]>
Cc: "'[EMAIL PROTECTED]'" <[EMAIL PROTECTED]>
Subject: RE: general/2580: Apache won't run CGI scripts executable only by
a supplementary group
Date: Mon, 22 Feb 1999 09:33:26 -0500
Retrans to log to apbugs..
-----Original Message-----
From: Rob Saccoccio
Sent: Monday, February 22, 1999 9:29 AM
To: '[EMAIL PROTECTED]'; apache-bugdb@apache.org; Rob Saccoccio
Subject: RE: general/2580: Apache won't run CGI scripts executable only
by a supplementary group
This appears to still be a problem under Apache 1.3.4. I'll restate:
initgroups() is called to initialize supplementary groups for Apache, but
when CGI scripts are exec'd a check is performed which prevents the use of
those supplementary group privileges to exec() the script (unless
MULTIPLE_GROUPS is defined). This is problematic because the script is
still invoked with the supplementary groups defined, thus it can exec others
using those privileges (that Apache couldn't).
My recommendation is to remove the supplementary groups using setgroups()
after the fork() (unless MULTIPLE_GROUPS is defined).
robs
