httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Andrew Wilson <>
Subject Re: NCSA 1.4 --- core dumps seen with /~user problem
Date Thu, 06 Apr 1995 14:09:45 GMT
[~user URLS are lame, but now we know why...]

> It was an interesting exercise, actually --- the first thing that gets
> trampled, on SunOS, is the xfer_log variable, and after that, it's a
> whole lot of library temps, so what happens is that at 40 total
> aliases, the child process stops logging transactions, but still keeps
> serving them for a while.  However, at about 48 total aliases,
> counting Alias directives, ScriptAlias directives, and internally
> generated aliases for /~user URLs, you finally run it off the end of
> the data space, and at that point it finally does segfault.
> This is on SunOS, of course, and is entirely dependant on what order
> the linker choose to arrange the data.
> At any rate, at sites which have more than 40-odd people with /~user
> URLs, this problem is quite likely to lead to sporadic server core
> dumps; it probably ought to be fixed.
> rst

COMMA used to have ~user URLs when we first set the server up in 93,
but Robert Evans deemed that any program that gave away real usernames
to the ouside world was intrinsically a bad thing - too easy for
crackers to get into poorly passworded accounts etc, etc.

So for security reasons ~user URLs are already an issue, regardless of
wheather or not your server is stable when using them.  One for
the WWW-admin FAQ?  (are we gonna have a WWW-admin faq?)


View raw message