[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[cobalt-developers] Web Server permissions

Subject: [cobalt-developers] Web Server permissions
From: "Ryan Verner [xfesty]" <vernerr@xxxxxxxxxxx>
Date: Sun Aug 26 02:06:59 2001
List-id: Discussion Forum for developers on Sun Cobalt Networks products <cobalt-developers.list.cobalt.com>

Just a query..

Out of curosity, I just did this (user is eggdrop, does not have
administrator privledges).  In a home users folder I just dropped in short
script, and chmod +x 'ed it.

#!/bin/sh
printf "Content-type: text/plain\n\n"
ps aux | grep eggdrop

Apache seems to be configured on the XTR's so any files with a .cgi
extension will execute.  This is normal.

BUT:

admin     3512  0.0  0.0  1212  452 ?        S    08:20   0:00 grep eggdrop

The .cgi script is running as admin, and not the user?

This is a concern, I'm sure that the boxes could be exploited, i.e. write a
script to read something out the admin home folder, to run a program, etc...

Am I incorrect in this?  (Its late, heh).

Ryan Verner

Follow-Ups:
- Re: [cobalt-developers] Web Server permissions - [Ignore Post]
  - From: Ryan Verner [xfesty]

References:
- [cobalt-developers] Forcing HTTPS for certain parts of a site
  - From: Peter Dickson

Prev by Date: [cobalt-developers] Just updated Qube3, now I can't login
Next by Date: [cobalt-developers] Apache 1.3.20 upgrade list of supported packages?
Previous by thread: Re: [cobalt-developers] Forcing HTTPS for certain parts of a site
Next by thread: Re: [cobalt-developers] Web Server permissions - [Ignore Post]

Sun Cobalt Developers Message Index

Sun Cobalt Developers Thread Index