[1644] in WWW Security List Archive
Re: CGI Scripts and Permissions
daemon@ATHENA.MIT.EDU (Paul Phillips)
Thu Mar 14 19:11:35 1996
Date: Thu, 14 Mar 1996 12:09:48 -0800 (PST)
From: Paul Phillips <paulp@cerf.net>
To: Liz Stokes <ilaine@panix.com>
cc: www-security@ns2.rutgers.edu
In-Reply-To: <199603141949.OAA21013@panix.com>
Errors-To: owner-www-security@ns2.rutgers.edu
On Thu, 14 Mar 1996, Liz Stokes wrote:
> What? Nonsense. It does a seteuid instead of a setuid at the outset and
> runs as 'web'.
It's the RUID you should fear.
Consider that if some previously unknown hole allows someone to execute
code as the server (this is why we don't run things as root, after all),
it may occur to them to setuid back to root. Stack overflows are insidious
creatures.
-PSP
