httpd-cvs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From nil...@apache.org
Subject svn commit: r698397 - /httpd/httpd/branches/2.0.x/docs/manual/suexec.xml
Date Tue, 23 Sep 2008 23:09:50 GMT
Author: nilgun
Date: Tue Sep 23 16:09:50 2008
New Revision: 698397

URL: http://svn.apache.org/viewvc?rev=698397&view=rev
Log:
pre-translation improvements

Modified:
    httpd/httpd/branches/2.0.x/docs/manual/suexec.xml

Modified: httpd/httpd/branches/2.0.x/docs/manual/suexec.xml
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.0.x/docs/manual/suexec.xml?rev=698397&r1=698396&r2=698397&view=diff
==============================================================================
--- httpd/httpd/branches/2.0.x/docs/manual/suexec.xml (original)
+++ httpd/httpd/branches/2.0.x/docs/manual/suexec.xml Tue Sep 23 16:09:50 2008
@@ -29,7 +29,7 @@
     Apache users the ability
     to run <strong>CGI</strong> and <strong>SSI</strong> programs
     under user IDs different from the user ID of the calling
-    web-server. Normally, when a CGI or SSI program executes, it
+    web server. Normally, when a CGI or SSI program executes, it
     runs as the same user who is running the web server.</p>
 
     <p>Used properly, this feature can reduce
@@ -115,7 +115,7 @@
     <ol>
       <li>
         <strong>Is the user executing this wrapper a valid user of
-        this system?</strong> 
+        this system?</strong>
 
         <p class="indent">
           This is to ensure that the user executing the wrapper is
@@ -125,7 +125,7 @@
 
      <li>
         <strong>Was the wrapper called with the proper number of
-        arguments?</strong> 
+        arguments?</strong>
 
         <p class="indent">
           The wrapper will only execute if it is given the proper
@@ -139,7 +139,7 @@
 
       <li>
         <strong>Is this valid user allowed to run the
-        wrapper?</strong> 
+        wrapper?</strong>
 
         <p class="indent">
           Is this user the user allowed to run this wrapper? Only
@@ -150,7 +150,7 @@
 
       <li>
         <strong>Does the target CGI or SSI program have an unsafe
-        hierarchical reference?</strong> 
+        hierarchical reference?</strong>
 
         <p class="indent">
           Does the target CGI or SSI program's path contain a leading
@@ -162,7 +162,7 @@
       </li>
 
       <li>
-        <strong>Is the target user name valid?</strong> 
+        <strong>Is the target user name valid?</strong>
 
         <p class="indent">
           Does the target user exist?
@@ -170,7 +170,7 @@
       </li>
 
       <li>
-        <strong>Is the target group name valid?</strong> 
+        <strong>Is the target group name valid?</strong>
 
         <p class="indent">
           Does the target group exist?
@@ -189,7 +189,7 @@
 
       <li>
         <strong>Is the target userid <em>ABOVE</em> the minimum ID
-        number?</strong> 
+        number?</strong>
 
         <p class="indent">
           The minimum user ID number is specified during
@@ -201,7 +201,7 @@
 
       <li>
         <strong>Is the target group <em>NOT</em> the superuser
-        group?</strong> 
+        group?</strong>
 
         <p class="indent">
           Presently, suEXEC does not allow the <code><em>root</em></code>
@@ -211,7 +211,7 @@
 
       <li>
         <strong>Is the target groupid <em>ABOVE</em> the minimum ID
-        number?</strong> 
+        number?</strong>
 
         <p class="indent">
           The minimum group ID number is specified during
@@ -223,7 +223,7 @@
 
       <li>
         <strong>Can the wrapper successfully become the target user
-        and group?</strong> 
+        and group?</strong>
 
         <p class="indent">
           Here is where the program becomes the target user and
@@ -245,12 +245,13 @@
 
       <li>
         <strong>Is the directory within the Apache
-        webspace?</strong> 
+        webspace?</strong>
 
         <p class="indent">
           If the request is for a regular portion of the server, is
           the requested directory within suEXEC's document root? If
-          the request is for a UserDir, is the requested directory
+          the request is for a <directive module="mod_userdir"
+          >UserDir</directive>, is the requested directory
           within the directory configured as suEXEC's userdir (see
           <a href="#install">suEXEC's configuration options</a>)?
         </p>
@@ -258,7 +259,7 @@
 
       <li>
         <strong>Is the directory <em>NOT</em> writable by anyone
-        else?</strong> 
+        else?</strong>
 
         <p class="indent">
           We don't want to open up the directory to others; only
@@ -268,7 +269,7 @@
       </li>
 
       <li>
-        <strong>Does the target CGI/SSI program exist?</strong> 
+        <strong>Does the target CGI/SSI program exist?</strong>
 
         <p class="indent">
           If it doesn't exists, it can't very well be executed.
@@ -277,7 +278,7 @@
 
       <li>
         <strong>Is the target CGI/SSI program <em>NOT</em> writable
-        by anyone else?</strong> 
+        by anyone else?</strong>
 
         <p class="indent">
           We don't want to give anyone other than the owner the
@@ -287,7 +288,7 @@
 
       <li>
         <strong>Is the target CGI/SSI program <em>NOT</em> setuid or
-        setgid?</strong> 
+        setgid?</strong>
 
         <p class="indent">
           We do not want to execute programs that will then change
@@ -297,7 +298,7 @@
 
       <li>
         <strong>Is the target user/group the same as the program's
-        user/group?</strong> 
+        user/group?</strong>
 
         <p class="indent">
           Is the user the owner of the file?
@@ -306,7 +307,7 @@
 
       <li>
         <strong>Can we successfully clean the process environment
-        to ensure safe operations?</strong> 
+        to ensure safe operations?</strong>
 
         <p class="indent">
           suEXEC cleans the process' environment by establishing a
@@ -319,7 +320,7 @@
 
       <li>
         <strong>Can we successfully become the target CGI/SSI program
-        and execute?</strong> 
+        and execute?</strong>
 
         <p class="indent">
           Here is where suEXEC ends and the target CGI/SSI program begins.
@@ -378,13 +379,15 @@
       directories where suEXEC access should be allowed. All
       executables under this directory will be executable by suEXEC
       as the user so they should be "safe" programs. If you are
-      using a "simple" UserDir directive (ie. one without a "*" in
-      it) this should be set to the same value. suEXEC will not
-      work properly in cases where the UserDir directive points to
+      using a "simple" <directive module="mod_userdir">UserDir</directive>
+      directive (ie. one without a "*" in it) this should be set to the same
+      value. suEXEC will not work properly in cases where the <directive
+      module="mod_userdir">UserDir</directive> directive points to
       a location that is not the same as the user's home directory
-      as referenced in the passwd file. Default value is
-      "public_html".<br />
-       If you have virtual hosts with a different UserDir for each,
+      as referenced in the <code>passwd</code> file. Default value is
+      "<code>public_html</code>".<br />
+      If you have virtual hosts with a different <directive
+      module="mod_userdir">UserDir</directive> for each,
       you will need to define them to all reside in one parent
       directory; then name that parent directory here. <strong>If
       this is not defined properly, "~userdir" cgi requests will
@@ -393,12 +396,13 @@
       <dt><code>--with-suexec-docroot=<em>DIR</em></code></dt>
 
       <dd>Define as the DocumentRoot set for Apache. This will be
-      the only hierarchy (aside from UserDirs) that can be used for
-      suEXEC behavior. The default directory is the <code>--datadir</code>
-      value with the suffix "/htdocs", <em>e.g.</em> if you configure
-      with "<code>--datadir=/home/apache</code>" the directory
-      "/home/apache/htdocs" is used as document root for the suEXEC
-      wrapper.</dd>
+      the only hierarchy (aside from <directive module="mod_userdir"
+      >UserDir</directive>s) that can be used for suEXEC behavior. The
+      default directory is the <code>--datadir</code> value with the suffix
+      "<code>/htdocs</code>", <em>e.g.</em> if you configure with
+      "<code>--datadir=/home/apache</code>" the directory
+      "<code>/home/apache/htdocs</code>" is used as document root for the
+      suEXEC wrapper.</dd>
 
       <dt><code>--with-suexec-uidmin=<em>UID</em></code></dt>
 
@@ -417,63 +421,71 @@
       <dd>This defines the filename to which all suEXEC
       transactions and errors are logged (useful for auditing and
       debugging purposes). By default the logfile is named
-      "suexec_log" and located in your standard logfile directory
-      (<code>--logfiledir</code>).</dd>
+      "<code>suexec_log</code>" and located in your standard logfile
+      directory (<code>--logfiledir</code>).</dd>
 
       <dt><code>--with-suexec-safepath=<em>PATH</em></code></dt>
 
       <dd>Define a safe PATH environment to pass to CGI
       executables. Default value is
-      "/usr/local/bin:/usr/bin:/bin".</dd>
+      "<code>/usr/local/bin:/usr/bin:/bin</code>".</dd>
     </dl>
 
-    <p><strong>Compiling and installing the suEXEC
-    wrapper</strong><br />
-     If you have enabled the suEXEC feature with the
-    <code>--enable-suexec</code> option the <code>suexec</code> binary
-    (together with Apache itself) is automatically built if you execute
-    the <code>make</code> command.<br />
-     After all components have been built you can execute the
-    command <code>make install</code> to install them. The binary image
-    <code>suexec</code> is installed in the directory defined by the
-    <code>--sbindir</code> option. The default location is
-    "/usr/local/apache2/bin/suexec".<br />
-     Please note that you need <strong><em>root
-    privileges</em></strong> for the installation step. In order
-    for the wrapper to set the user ID, it must be installed as
-    owner <code><em>root</em></code> and must have the setuserid
-    execution bit set for file modes.</p>
-
-    <p><strong>Setting paranoid permissions</strong><br />
-    Although the suEXEC wrapper will check to ensure that its
-    caller is the correct user as specified with the
-    <code>--with-suexec-caller</code> <program>configure</program>
-    option, there is
-    always the possibility that a system or library call suEXEC uses
-    before this check may be exploitable on your system. To counter
-    this, and because it is best-practise in general, you should use 
-    filesystem permissions to ensure that only the group Apache 
-    runs as may execute suEXEC.</p>
+    <section>
+      <title>Compiling and installing the suEXEC wrapper</title>
 
-    <p>If for example, your web-server is configured to run as:</p>
-
-<example>
-    User www<br />
-    Group webgroup<br />
-</example>
-
-    <p>and <program>suexec</program> is installed at
-    "/usr/local/apache2/bin/suexec", you should run:</p>
-
-<example>
-    chgrp webgroup /usr/local/apache2/bin/suexec<br />
-    chmod 4750 /usr/local/apache2/bin/suexec<br />
-</example>
-
-    <p>This will ensure that only the group Apache runs as can even
-    execute the suEXEC wrapper.</p>
+      <p>If you have enabled the suEXEC feature with the
+      <code>--enable-suexec</code> option the <code>suexec</code>
binary
+      (together with Apache itself) is automatically built if you execute
+      the <code>make</code> command.</p>
+
+      <p>After all components have been built you can execute the
+      command <code>make install</code> to install them. The binary image
+      <code>suexec</code> is installed in the directory defined by the
+      <code>--sbindir</code> option. The default location is
+      "/usr/local/apache2/bin/suexec".</p>
+
+      <p>Please note that you need <strong><em>root
+      privileges</em></strong> for the installation step. In order
+      for the wrapper to set the user ID, it must be installed as
+      owner <code><em>root</em></code> and must have the setuserid
+      execution bit set for file modes.</p>
+    </section>
+
+    <section>
+      <title>Setting paranoid permissions</title>
+
+      <p>Although the suEXEC wrapper will check to ensure that its
+      caller is the correct user as specified with the
+      <code>--with-suexec-caller</code> <program>configure</program>
+      option, there is
+      always the possibility that a system or library call suEXEC uses
+      before this check may be exploitable on your system. To counter
+      this, and because it is best-practise in general, you should use
+      filesystem permissions to ensure that only the group Apache
+      runs as may execute suEXEC.</p>
+
+      <p>If for example, your web server is configured to run as:</p>
+
+      <example>
+          User www<br />
+          Group webgroup<br />
+      </example>
+
+      <p>and <program>suexec</program> is installed at
+      "/usr/local/apache2/bin/suexec", you should run:</p>
+
+      <example>
+          chgrp webgroup /usr/local/apache2/bin/suexec<br />
+          chmod 4750 /usr/local/apache2/bin/suexec<br />
+      </example>
+
+      <p>This will ensure that only the group Apache runs as can even
+      execute the suEXEC wrapper.</p>
+    </section>
 </section>
 
+
 <section id="enable"><title>Enabling &amp; Disabling
     suEXEC</title>
 
@@ -556,7 +568,7 @@
       <li><strong>suEXEC Points Of Interest</strong></li>
 
       <li>
-        Hierarchy limitations 
+        Hierarchy limitations
 
         <p class="indent">
           For security and efficiency reasons, all suEXEC requests
@@ -571,7 +583,7 @@
       </li>
 
       <li>
-        suEXEC's PATH environment variable 
+        suEXEC's PATH environment variable
 
         <p class="indent">
           This can be a dangerous thing to change. Make certain
@@ -583,7 +595,7 @@
       </li>
 
       <li>
-        Altering the suEXEC code 
+        Altering the suEXEC code
 
         <p class="indent">
           Again, this can cause <strong>Big Trouble</strong> if you



Mime
View raw message