[freeside] Free Side Error

[Mark Wells]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Sat, 17 Jul 1999, Ivan Kohler wrote:

> > I didn't know you could suid the CGI scripts.  As far as I know, suid only
> > affects the effective uid, not the real uid.
> 
> By definition, yes.

So to get checkruid to shut up and let you run the program, you have to do
one of the following:

1.  Run your web server as 'freeside'.
2.  Set your uid to equal your euid, with something like "$< = $>;".
3.  Modify checkruid.

Right?

> > Whether this is safe is another issue.
> 
> Very true.  I was very careful to code Freeside securely, and Perl is a
> _much_ better "elevated privledges" environment than C or shell.  There
> have been no reports of security problems with Freeside to date.  However,
> it is possible that I missed something.  Please let me know if you are
> aware of any possible problems. 

I certainly haven't found any.

BTW, I think it's interesting that you're pretty sure Freeside itself is
secure, and you *still* put in a mechanism to make it refuse to run as a
user other than freeside.

> No.  Don't do this.  (or at least don't ask me for support after you
> cause yourself headaches by doing so)

Hey, I only said that if you didn't need checkruid at all and you wanted
to completely disable it you could do that.  I'm not sure what else it
might break.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v0.9.7 (GNU/Linux)
Comment: PGPEnvelope - http://www.bigfoot.com/~ftobin/resources.html

iD8DBQE3kEkz2GOwREX5+xQRAmDpAJwKYsuQkEyLQggrBxBkMAs4lLRDVACfVWZc
8ka7pb0UjNHLTz2BprKVWe4=
=5plh
-----END PGP SIGNATURE-----