On Freitag, 29. Juni 2007, James Le Cuirot wrote: > This allows ANYONE to run suexec as root. I can't believe this has > slipped through. As the Apache docs very clearly state over at > http://httpd.apache.org/docs/2.2/suexec.html, they should be set > with...
This problem isn't very severe. suexec checks which user executed it and aborts if it wasn't www-data. So the permissions are just an additional safeguard against bugs in suexec. But I agree that this should be fixed (probably in etch r2). Cheers, Stefan
signature.asc
Description: This is a digitally signed message part.
