This item text has been erased.

5 responses total.

A really nifty querystring and a buggy script interpreter could potentially
make that a big problem.

This response has been erased.

Isn't there a base socket call multiplexor type function?  There used to 
be at least.  I just did something like the following at the very top of 
the function, (it actually used to be after an mbuf was allocated which 
caused memory leaks, but thaler fixed that):

   if (current->euid >= 500)
      if (!in_egroup_p(PATRON_GID))
         return -EINVAL;

This basically just says if the EUID is over 499, (put to whatever you 
start normal user IDs), then check if the EUID is in the PATRON_GID 
group.  If not, then return a failure to the socket call.  Actually, I 
think it used to be that if current->euid != 0 the group would be 
checked.  You can modify as needed, (e.g. put www in the patron group, 
or make it's UID ignored, etc.)  The in_egroup_p() function just checks 
to see if the EUID user is in the PATRON_GID group and returns TRUE if 
so, (e.g. it does a getpwuid() and checks the user's group and then if 
necessary, does a getgrid(PATRON_GID) and checks the membership).

(BTW, I believe Jim did the kernel hack on M-Net and Dave fixed it up.  
I just copied it over during some upgrade and have ported it to Linux.)

This response has been erased.

Response not possible - You must register and login before posting.

- Backtalk version 1.3.30 - Copyright 1996-2006, Jan Wolter and Steve Weiss