Received: (qmail 17914 invoked by uid 2012); 31 Mar 1999 14:24:26 -0000 Message-Id: <19990331142426.17913.qmail@hyperreal.org> Date: 31 Mar 1999 14:24:26 -0000 From: Mark Dawson Reply-To: md@doc.ic.ac.uk To: apbugs@hyperreal.org Subject: Suexec allows insecure umask X-Send-Pr-Version: 3.2 >Number: 4178 >Category: suexec >Synopsis: Suexec allows insecure umask >Confidential: no >Severity: serious >Priority: medium >Responsible: apache >State: closed >Quarter: >Keywords: >Date-Required: >Class: change-request >Submitter-Id: apache >Arrival-Date: Wed Mar 31 06:30:01 PST 1999 >Closed-Date: Wed Jan 12 03:39:55 PST 2000 >Last-Modified: Wed Jan 12 03:39:55 PST 2000 >Originator: md@doc.ic.ac.uk >Release: 1.3.6 >Organization: >Environment: SunOS hen.doc.ic.ac.uk 5.6 Generic_105181-03 sun4u sparc SUNW,Ultra-1 >Description: Suexec does not set the umask before running a cgi script. Files created by a naive cgi script may inadvertantly have overly generous permissions. An appropriate default mask would be 077. A configuration option (--suexec-umask=) could be introduced. >How-To-Repeat: >Fix: >Release-Note: >Audit-Trail: Class-Changed-From-To: sw-bug-change-request Class-Changed-By: coar Class-Changed-When: Fri Jan 7 14:51:49 PST 2000 State-Changed-From-To: open-closed State-Changed-By: coar State-Changed-When: Wed Jan 12 03:39:55 PST 2000 State-Changed-Why: Thank you for the suggestion. This has been done, and it will appear in the next release after 1.3.9. >Unformatted: [In order for any reply to be added to the PR database, ] [you need to include in the Cc line ] [and leave the subject line UNCHANGED. This is not done] [automatically because of the potential for mail loops. ] [If you do not include this Cc, your reply may be ig- ] [nored unless you are responding to an explicit request ] [from a developer. ] [Reply only with text; DO NOT SEND ATTACHMENTS! ]