[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [cobalt-security] Re: [cobalt-announce] Cobalt Networks - Security Advisory - Frontpage
- Subject: Re: [cobalt-security] Re: [cobalt-announce] Cobalt Networks - Security Advisory - Frontpage
- From: Jeff Lovell <jlovell@xxxxxxxxxx>
- Date: Thu, 25 May 2000 15:30:59 -0700
- Organization: Cobalt Networks, Inc.
Iain O'Cain wrote:
> > When a site is uploaded with FP to a RaQ2/3, all of the files
> > are owned by user "httpd" instead of a site-specific user.
>
> Now, the patch addresses this in part by changing web directory ownerships
> to the "nobody" user. Since we've been changing ownerships over to the
> actual site owner, this is pretty undesireable. It seems to me that it
> would be just as effective to change the user which httpd runs as, rather
> than mess with file permissions which users may have changed for their own
> purposes. Does that fit with how you're fixing this problem at Cobalt?
It doesn't change ownership away from legitimate users. It only
changes permissions on files that are owned by httpd. So any users
that have uploaded files through ftp, or have had the admin change
ownership will not be effected.
> > The package file format (pkg) for this fix is currently in testing, and
> > will be available in the very near future.
>
> Perhaps if we wait for the pkg'd fix, it may be a bit cleaner?
If you feel you can wait for the pkg'd version I recommend it.
It will go through more strict testing guidelines and other
performance testing. But if you need a spot fix, apply this
patch.
Jeff