Re: Slackware 8.0, 7.1 Vulnerability: /usr/bin/locate

["Jeremy C. Reed" <reed () reedmedia net>]

On Wed, 1 Aug 2001, Olaf Bohlen wrote:

> But: no user (except root) should be able to gain access to nobody. so 

As another posting indicated and what I have seen on many, many systems,
webservers often run CGIs as nobody -- so, in fact, everybody is
nobody. (Or in other words, it is easy for many users to gain access to
nobody.)

> this is not a security hole imho.

This Slackware locatedb vulnerability is a perfect example to counter your
reasoning.

"No privileges" is the purpose of user nobody.

I believe it is usually assumed that files shouldn't be owned by
nobody. It is assumed that if your nobody-running tool is exploited that
it should not be able to take advantage of anything else.

If some tool running as nobody is exploited, it still should have no
privileges (like write access to some other nobody-owned file).

> Also if you run apache-cgi's as user, apache chowns to the owner of the 
> cgi before executing it:

This depends on how it is configured. My apache configurations don't look
at the owner of a CGI file and then setuid to that particular user before
running it. In fact, if you use suexec, then it purposely does not run a
CGI if its owner is different (because it is considered a security
problem).

   Jeremy C. Reed
   http://www.reedmedia.net/
                                               http://www.isp-faq.com/