From: Christopher Faylor <cgf@redhat.com>
To: overseers@gcc.gnu.org
Subject: Re: /www/conf/httpd.conf
Date: Thu, 08 May 2003 14:38:00 -0000 [thread overview]
Message-ID: <20030508143812.GA28678@redhat.com> (raw)
In-Reply-To: <20030507231419.A26514@molenda.com>
On Wed, May 07, 2003 at 11:14:19PM -0700, Jason Molenda wrote:
>On Wed, May 07, 2003 at 05:06:33PM -0400, Christopher Faylor wrote:
>
>> I keep meaning to look into checking httpd.conf into cvs. There's no
>> real reason why we couldn't just put this in, say,
>> /sourceware/infra/httpd or something and use the standard mechanism
>> for updating it right?
>
>You could compromise the system if you could write to the httpd.conf
>file, so the current scheme where only people with ssh login access
>as root can write it keeps that group small. Otherwise, no, no
>problems. I suppose if you've compromised an account with sourceware
>repo write access, you've probably already got login access. Compromising
>the httpd uid could give you group write perms to all the other
>groups (granted for cvsweb).
>
>I doubt this would represent our most gregarious security problem--I'm
>just thinking it through aloud.
As long as we're all letting the horse out of the barn, I have to say
that I haven't seen any argument made here which doesn't already apply
to other parts of sourceware which are already under cvs control. There
are plenty of places where checking in a file could compromise security.
cgf
next prev parent reply other threads:[~2003-05-08 14:38 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2003-05-07 21:02 /www/conf/httpd.conf Gerald Pfeifer
2003-05-07 21:06 ` /www/conf/httpd.conf Christopher Faylor
2003-05-08 6:14 ` /www/conf/httpd.conf Jason Molenda
2003-05-08 14:38 ` Christopher Faylor [this message]
2003-05-08 18:03 ` /www/conf/httpd.conf Jason Molenda
2003-05-07 21:18 ` /www/conf/httpd.conf Andrew Cagney
2003-05-07 22:05 ` /www/conf/httpd.conf Gerald Pfeifer
2003-05-07 22:15 ` /www/conf/httpd.conf Andrew Cagney
2003-05-07 21:33 ` /www/conf/httpd.conf Ian Lance Taylor
2003-05-07 21:59 ` /www/conf/httpd.conf Gerald Pfeifer
-- strict thread matches above, loose matches on Subject: below --
2003-03-26 20:38 /www/conf/httpd.conf Gerald Pfeifer
2003-03-27 1:04 ` /www/conf/httpd.conf Christopher Faylor
2003-03-27 1:14 ` /www/conf/httpd.conf Gerald Pfeifer
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20030508143812.GA28678@redhat.com \
--to=cgf@redhat.com \
--cc=overseers@gcc.gnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).