[OpenAFS-devel] setgroups() fails to change pag under linux 2.6
David Thompson
thomas@cs.wisc.edu
Thu, 20 Jul 2006 08:54:40 -0500
Jeffrey Hutzelman wrote:
>
>> 3) Specifically for the web server example, in your proposal, a malicious
>> web page could fork() itself, exit the parent thead, and wait around and
>> start collecting other authentications, as the web server changed the
>> authentication in the pag for other requests. Yuch.
>
>Web pages can't call fork() or any other system call; they're just data.
>Of course, if you have a web server that runs programs provided by
>untrusted users, then you have a whole world of potential problems.
You are correct, would "untrusted cgi/script" have been better?. We have this
situation, and our solution is able to provide afs authentication for these
scripts in a secure manner.
Dave