poor default security mode
Bug #137427 reported by
Sean Middleditch
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| suphp (Ubuntu) |
Confirmed
|
Wishlist
|
Unassigned | ||
Bug Description
The suphp package used the 'owner' security model instead of the 'paranoid' security model. The later is identical to what suexec uses. Using the 'owner' model, any script which somehow gets into a web directory becomes runable as that user, which in certain rather contrived circumstances can be a huge security hole. suphp should be configured to use the paranoid model by default.
It would also be nice if the suphp source package generated different versions of suphp for each of the supported security models.
| Changed in suphp: | |
| importance: | Undecided → Wishlist |
Revision history for this message
| Thomas Hotz (thotz-deactivatedaccount) wrote | #1 |
| Changed in suphp (Ubuntu): | |
| status: | New → Confirmed |
To post a comment you must log in.
Confirming this bug. Isn't it also a security bug?