[cobalt-security] Re: [cobalt-announce] Cobalt Networks - Security Advisory - Frontpage

["Iain O'Cain" <iocain@xxxxxxxxxxxxxx>]

This issue has been a concern to us for a while now.  It's so trivial to
get around the "cgiWrap" protection that I hadn't even realized it was
meant as protection.  My remaining concerns are about Cobalt's proposed
fix for the security problem (below).  

On Thu, 25 May 2000, Jeff Lovell wrote:

> When a site is uploaded with FP to a RaQ2/3, all of the files
> are owned by user "httpd" instead of a site-specific user.

Now, the patch addresses this in part by changing web directory ownerships
to the "nobody" user.  Since we've been changing ownerships over to the
actual site owner, this is pretty undesireable.  It seems to me that it
would be just as effective to change the user which httpd runs as, rather
than mess with file permissions which users may have changed for their own
purposes.  Does that fit with how you're fixing this problem at Cobalt?

> The package file format (pkg) for this fix is currently in testing, and
> will be available in the very near future.

Perhaps if we wait for the pkg'd fix, it may be a bit cleaner?

Thanks for your efforts.

- Iain O'Cain, OA Internet