[prev in list] [next in list] [prev in thread] [next in thread]
List: apache-modperl
Subject: Re: Launching Apache/mod_perl from setuid script
From: "Daniel S. Riley" <dsr () MAIL ! LNS ! CORNELL ! EDU>
Date: 1998-03-29 16:00:33
[Download RAW message or body]
modus@PR.ES.TO writes:
> This program is insecure.
You bet--trivially exploitable. Marc is right, might as well just give
out the root password.
> Anyone who can execute this script can get access to your system as the
> owner of this program (in this case, most likely root). If you must use a
> wrapper, rather than sudo et al, use snprintf, instead of sprintf.
It locates the server using getenv(), calls system() to start the
server, and you're worrying about sprintf()? Boggle.
--
Dan Riley dsr@mail.lns.cornell.edu
Wilson Lab, Cornell University <URL:http://www.lns.cornell.edu/~dsr/>
"History teaches us that days like this are best spent in bed"
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic