The problem I was referring to in my "Sabotage to Ringlink" message was
that somebody had deleted all world-writable and web server-owned files
from our project web site. I submitted a support request to SourceForge,
and in their response they let me know that on 2002-11-30, such files were
removed for *all projects*!!
Their (canned) response includes many words, which I believe proves that
they are embarrassed. They also say:
"While we continue to consider possible solutions which would permit us to
make use of setuid/setgid during the operation of CGI scripts and scripts
run from mod_php, this is a particularly complex problem due to the large
number of VHOSTs we serve from our pool of project web servers."
Complex or not, I hope they will fix it soon. Nowadays most providers of
shared environment web hosting services seem to have set-ups without this
security hole.
/ Gunnar
Ringlink http://www.ringlink.org/
"created by ringmasters for ringmasters"