Alexander Dalloz wrote:
Am Di, den 05.07.2005 schrieb FC um 12:16:
Please! Do not top-post and fully quote. this is a mailing list and the
content of previous mails is still available if one likes to check
content of a previous message.
Any1 can explain this :)
I have an explanation .. IF the dir is owned by the same user the phpfm
is owned it WILL change the dir rights
example : mod_php
/var/www/html/ owned by root:root
/var/www/html/phpfm.php owned by apache.apache
nothing changes
then /var/www/html/ owned by apache:apache
BOOM -> 777 on the dir ...
That's a major security flaw .
What you describe is in my eyes just a badly behaving PHP application.
If a directory in the DocumentRoot or the DocumentRoot is owned by the
UID of the Apache user, then of course Apache has the permissions to
change the dir and like you show us. Any PHP or other language script
can do so. It demonstrates why it is good that by default the
DocumentRoot is root:root owned on Fedora. The Apache user does not need
to be the owner.
Alexander
I agree with you of course Alexander, what is tricking me, it does work
on some setups .. it is not a general behaviour
Another very dangerous thing happened, using a vurtualhost, using
different users for each vhost
I could change the rights on the dir of / that's not a dir owned by the
user ...
There is still something strange there .... (that's why I think it has
to do with a combination of different packages
but couldnt point to teh combiantion yet) ...
-Philip
