/etc/rc.bsdextended: am I misunderstanding this..?
Jan Grant
Jan.Grant at bristol.ac.uk
Mon Apr 11 06:45:36 PDT 2005
Can someone clear something up for me?
[[[
# For apache to read user files, the ruleadd must give
# it permissions by default.
####
${CMD} add subject uid 80 object not uid 80 mode rxws;
${CMD} add subject gid 80 object not gid 80 mode rxws;
]]]
Doesn't the above mean that an apache user (eg, user-supplied CGI
process, PHP script, etc) has the ability to read (and write!) anything
in the filesystem?
Similarly: mailnull, majordomo, bin, etc, appear to get "elevated"
privileges via this file and mac_bsdextended.
[[[
####
# For cyrus:
${CMD} add subject uid 60 object not uid 60 mode rxws;
${CMD} add subject gid 60 object not gid 60 mode rxws;
]]]
Cyrus is a "black box" mail server: the cyrus user normally winds up
owning anything that the IMAP server needs to touch.
[[[
# For the nobody account:
${CMD} add subject uid 65534 object not uid 65534 mode rxws;
${CMD} add subject gid 65534 object not gid 65534 mode rxws;
]]]
... and doesn't this (almost, no "a" flag) completely negate the point
of the nobody account in the first instance?
Not quite getting it,
jan
--
jan grant, ILRT, University of Bristol. http://www.ilrt.bris.ac.uk/
Tel +44 (0)117 9287088 (with luck) http://ioctl.org/jan/
I shave with Occam's Razor.
More information about the freebsd-security
mailing list