Joe Pruett wrote:
> why isn't setuid/gid discussed as an option to make cmd.cgi be able to
> write to nagios.cmd? this seems like a better option to the problem. i
> guess that if there are bugs in cmd.cgi it could be exploited, but i'd
> rather limit those bugs to the nagios user than the apache user.
>
setgid and setuid would affect the apache user as well (meaning an
exploit could choose which user to execute code as) and is strongly
discouraged by anyone with a clue to security. Using the suexec feature
of apache is considered best practice for privilege separation (although
that has its caveats as well).
> i'm using setgid so far to good effect.
>
Then you are possibly vulnerable.
>
>
> -------------------------------------------------------
> The SF.Net email is sponsored by: Beat the post-holiday blues
> Get a FREE limited edition SourceForge.net t-shirt from ThinkGeek.
> It's fun and FREE -- well, almost....http://www.thinkgeek.com/sfshirt
> _______________________________________________
> Nagios-devel mailing list
> [email protected]
> https://lists.sourceforge.net/lists/lis ... gios-devel
>
--
Andreas Ericsson [email protected]
OP5 AB www.op5.se
Lead Developer
This post was automatically imported from historical nagios-devel mailing list archives
Original poster: [email protected]