On Thursday 02 October 2008, Alexander Prinsier wrote:
> > Apart from that, allowing scripts owned by root to be executed as
> > any user would certainly create (local) security issues. Using a
> > dedicated user might be possible, though.
>
> Why would running a root-owned script as a local user create a
> security issue?
Not so. But this would mean that in many setups, any user would be
allowed to execute any root-owned program under the document root
that has mode +x as any _other_ user (above uid 100). This is
something that no admin would expect. The restriction that suexec can
only be executed by apache can often be circumvented. E.g. if user
are allowed to create php scripts in ~/public_html.
> > But I intend to keep apache2-suexec-custom as close as possible
> > to the normal suexec and would prefer to not add any more
> > features.
>
> I understand that. The patch is quite trivial though. Are there any
> other options besides maintaining my local patch?
For lenny there isn't. For the next release after lenny we can think
about it again.
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
