freebsd security - Apr 2005 - /etc/rc.bsdextended: am I misunderstanding this..?

Can someone clear something up for me?

[[[
# For apache to read user files, the ruleadd must give
# it permissions by default.
####
${CMD} add subject uid 80 object not uid 80 mode rxws;
${CMD} add subject gid 80 object not gid 80 mode rxws;
]]]

Doesn't the above mean that an apache user (eg, user-supplied CGI 
process, PHP script, etc) has the ability to read (and write!) anything 
in the filesystem?

Similarly: mailnull, majordomo, bin, etc, appear to get "elevated" 
privileges via this file and mac_bsdextended.

[[[
####
# For cyrus:
${CMD} add subject uid 60 object not uid 60 mode rxws;
${CMD} add subject gid 60 object not gid 60 mode rxws;
]]]

Cyrus is a "black box" mail server: the cyrus user normally winds up 
owning anything that the IMAP server needs to touch.

[[[
# For the nobody account:
${CMD} add subject uid 65534 object not uid 65534 mode rxws;
${CMD} add subject gid 65534 object not gid 65534 mode rxws;
]]]

... and doesn't this (almost, no "a" flag) completely negate the
point
of the nobody account in the first instance?

Not quite getting it,
jan

-- 
jan grant, ILRT, University of Bristol. http://www.ilrt.bris.ac.uk/
Tel +44 (0)117 9287088 (with luck)   http://ioctl.org/jan/
I shave with Occam's Razor.

On Mon, Apr 11, 2005 at 02:45:31PM +0100, Jan Grant
wrote:
> Can someone clear something up for me?
> [[[
> # For apache to read user files, the ruleadd must give
> # it permissions by default.
> ####
> ${CMD} add subject uid 80 object not uid 80 mode rxws;
> ${CMD} add subject gid 80 object not gid 80 mode rxws;
> ]]]
> Doesn't the above mean that an apache user (eg, user-supplied CGI 
> process, PHP script, etc) has the ability to read (and write!) anything 
> in the filesystem?
MAC restrictions apply in addition to normal restrictions, i.e. an
access is allowed only if both the normal filesystem permissions and
ugidfw permit it.

-- 
Jilles Tjoelker