/etc/rc.bsdextended: am I misunderstanding this..?
Jilles Tjoelker
jilles at stack.nl
Mon Apr 11 08:37:08 PDT 2005
On Mon, Apr 11, 2005 at 02:45:31PM +0100, Jan Grant wrote:
> Can someone clear something up for me?
> [[[
> # For apache to read user files, the ruleadd must give
> # it permissions by default.
> ####
> ${CMD} add subject uid 80 object not uid 80 mode rxws;
> ${CMD} add subject gid 80 object not gid 80 mode rxws;
> ]]]
> Doesn't the above mean that an apache user (eg, user-supplied CGI
> process, PHP script, etc) has the ability to read (and write!) anything
> in the filesystem?
MAC restrictions apply in addition to normal restrictions, i.e. an
access is allowed only if both the normal filesystem permissions and
ugidfw permit it.
--
Jilles Tjoelker
More information about the freebsd-security
mailing list