Am Di, den 05.07.2005 schrieb FC um 12:16: Please! Do not top-post and fully quote. this is a mailing list and the content of previous mails is still available if one likes to check content of a previous message. > Any1 can explain this :) > I have an explanation .. IF the dir is owned by the same user the phpfm > is owned it WILL change the dir rights > example : mod_php > /var/www/html/ owned by root:root > /var/www/html/phpfm.php owned by apache.apache > nothing changes > > then /var/www/html/ owned by apache:apache > > BOOM -> 777 on the dir ... > > That's a major security flaw . What you describe is in my eyes just a badly behaving PHP application. If a directory in the DocumentRoot or the DocumentRoot is owned by the UID of the Apache user, then of course Apache has the permissions to change the dir and like you show us. Any PHP or other language script can do so. It demonstrates why it is good that by default the DocumentRoot is root:root owned on Fedora. The Apache user does not need to be the owner. Alexander -- Alexander Dalloz | Enger, Germany | GPG http://pgp.mit.edu 0xB366A773 legal statement: http://www.uni-x.org/legal.html Fedora Core 2 GNU/Linux on Athlon with kernel 2.6.11-1.35_FC2smp Serendipity 12:33:45 up 9 days, 19:25, load average: 0.18, 0.34, 0.27
Attachment:
signature.asc
Description: Dies ist ein digital signierter Nachrichtenteil
