httpd-cvs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Dean Gaudet <dgau...@hyperreal.com>
Subject cvs commit: apache/src CHANGES http_core.c
Date Sat, 28 Jun 1997 22:00:19 GMT
dgaudet     97/06/28 15:00:18

  Modified:    src       Tag: APACHE_1_2_X  CHANGES http_core.c
  Log:
  Whack people upside the head if they try to run apache as root.
  
  Revision  Changes    Path
  No                   revision
  
  
  No                   revision
  
  
  1.286.2.15 +4 -1      apache/src/CHANGES
  
  Index: CHANGES
  ===================================================================
  RCS file: /export/home/cvs/apache/src/CHANGES,v
  retrieving revision 1.286.2.14
  retrieving revision 1.286.2.15
  diff -C3 -r1.286.2.14 -r1.286.2.15
  *** CHANGES	1997/06/28 19:51:25	1.286.2.14
  --- CHANGES	1997/06/28 22:00:15	1.286.2.15
  ***************
  *** 13,22 ****
         (headers, readmes, titles), mod_negotiation (type maps), or
         mod_cern_meta (meta files).  [Dean Gaudet]
    
      *) CONFIG: "HostnameLookups" now defaults to off because it is far better
         for the net if we require people that actually need this data to
         enable it.  [Linus Torvalds]
  !   
      *) mod_include was not properly changing the current directory.
         [Marc Slemko] PR#742
    
  --- 13,25 ----
         (headers, readmes, titles), mod_negotiation (type maps), or
         mod_cern_meta (meta files).  [Dean Gaudet]
    
  +   *) SECURITY: Apache will refuse to run as "User root" unless
  +      BIG_SECURITY_HOLE is defined at compile time.  [Dean Gaudet]
  + 
      *) CONFIG: "HostnameLookups" now defaults to off because it is far better
         for the net if we require people that actually need this data to
         enable it.  [Linus Torvalds]
  ! 
      *) mod_include was not properly changing the current directory.
         [Marc Slemko] PR#742
    
  
  
  
  1.81.2.1  +15 -1     apache/src/http_core.c
  
  Index: http_core.c
  ===================================================================
  RCS file: /export/home/cvs/apache/src/http_core.c,v
  retrieving revision 1.81
  retrieving revision 1.81.2.1
  diff -C3 -r1.81 -r1.81.2.1
  *** http_core.c	1997/05/08 13:09:24	1.81
  --- http_core.c	1997/06/28 22:00:16	1.81.2.1
  ***************
  *** 886,894 ****
    	else {
    	    cmd->server->server_uid = user_id;
    	    fprintf(stderr,
  ! 		    "Warning: User directive in <VirtualHost> requires SUEXEC wrapper.\n");
    	}
        }
    
        return NULL;
    }
  --- 886,908 ----
    	else {
    	    cmd->server->server_uid = user_id;
    	    fprintf(stderr,
  ! 		"Warning: User directive in <VirtualHost> "
  ! 		"requires SUEXEC wrapper.\n");
    	}
        }
  + #if !defined (BIG_SECURITY_HOLE)
  +     if (cmd->server->server_uid == 0) {
  + 	fprintf (stderr,
  + "Error:\tApache has not been designed to serve pages while running\n"
  + "\tas root.  There are known race conditions that will allow any\n"
  + "\tlocal user to read any file on the system.  Should you still\n"
  + "\tdesire to serve pages as root then add -DBIG_SECURITY_HOLE to\n"
  + "\tthe EXTRA_CFLAGS line in your src/Configuration file and rebuild\n"
  + "\tthe server.  It is strongly suggested that you instead modify the\n"
  + "\tUser directive in your httpd.conf file to list a non-root user.\n");
  + 	exit (1);
  +     }
  + #endif
    
        return NULL;
    }
  
  
  

Mime
View raw message