[OpenAFS-devel] setgroups() fails to change pag under linux 2.6
Jeffrey Hutzelman
jhutz@cmu.edu
Wed, 19 Jul 2006 19:21:05 -0400
On Wednesday, July 19, 2006 08:58:35 AM -0500 David Thompson
<thomas@cs.wisc.edu> wrote:
> 3) Specifically for the web server example, in your proposal, a malicious
> web page could fork() itself, exit the parent thead, and wait around and
> start collecting other authentications, as the web server changed the
> authentication in the pag for other requests. Yuch.
Web pages can't call fork() or any other system call; they're just data.
Of course, if you have a web server that runs programs provided by
untrusted users, then you have a whole world of potential problems.
-- Jeffrey T. Hutzelman (N3NHS) <jhutz+@cmu.edu>
Sr. Research Systems Programmer
School of Computer Science - Research Computing Facility
Carnegie Mellon University - Pittsburgh, PA