On Mon, Feb 21, 2000 at 09:33:53PM +0100, Robert Varga wrote: > > > If there is an exploitable cgi, then there is web access to all of the > owning user's files. If it is not run via the suEXEC mechanism, then the > permissions are that of www-data, which are close to nothing. ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
this is not true, on every debian [potato] system i have installed /var/www is owned by www-data.www-data which means if the web pages are stored here gaining www-data privileges means you can completely replace the entire site. (unless of course the admin had chowned this) also /var/lib/dhelp is chowned www-data.www-data everytime its upgraded/installed. I personally think this is insane and brought it up on -devel where there was a little discussion but certainly no dicision to change it. -- Ethan Benson
