DAV

Joe Orton jorton at redhat.com
Thu Oct 7 22:03:53 UTC 2004


On Thu, Oct 07, 2004 at 03:14:23PM -0400, Colin Walters wrote:
> On Thu, 2004-10-07 at 15:04 -0400, Alan Cox wrote:
> > On Thu, Oct 07, 2004 at 07:58:20PM +0100, Joe Orton wrote:
> > > It's not CGI scripts which is the issue, the issue is whether or not an
> > > OpenSSL buffer overflow gives you remote root or just the privileges of
> > > the "apache" user as it currently does.
> > 
> > That would be a problem yes. You'd end up with apache able to  access any
> > files in the system. I guess mod_webdav should never have been mod_
> 
> Definitely agreed there.  It should work like ssh+sftp, where ssh execs
> a helper program running under the user's uid.  Doing things this way,
> in a separate process, also allows the SELinux policy to confine them
> separately.

I don't see how this makes sense with HTTP.  The code with the buffer
overflows is the HTTP parsing and SSL handling.  THat's also the code
which you must trust to determine what "user context" a request might be
for.

joe





More information about the devel mailing list