httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Jason A. Dour" <>
Subject Re: suexec concerns
Date Sat, 04 Jan 1997 00:17:17 GMT

Many of the issues being raised are based upon poor administration; we can
never keep people from using something improperly...we can only document
how to use it properly.  Not having shells and whatnot in webspace is a
well-known that we can't fix.

As far as tightening down ~userdir requests, I think we need to get a way
for the wrapper to verify its parent as an httpd process.  That would
solve a good number of the issues presented.

On Fri, 3 Jan 1997, Randy Terbush wrote:
> * tack user-cgi directory onto the ~user path.

	-1.  I *still* think we need to find a solution that does not
pre-compile the location.  If we don't we'll break SSIs even more than we
have already...and what of Dir/Loc/File?  I think we should push this to

> * disallow execution by UID < 100

	+1 for disallowing execution by UID < UID_MIN define.  Simple fix.

> * limit the environment variables passed by suexec.

	+1 as long as we don't start going through tons of gyrations and
overhead...  If we start getting into "allow" and "deny" environment files
and parsing apache config files, then I say -1 until 2.0.

> Stupid question here, but shouldn't the server itself be cleaning up
> the environment it is passing to even non-suexec CGI? Perhaps it is...

	IMHO, yes.

	We need to move carefully on some of these issues...  I don't want
what is -- at present -- a decently functional suEXEC to become munged
pre-1.2 roll-out due to new "features."  If its more than a bugfix, I vote
for 2.0.

# Jason A. Dour <>                            1101
# Programmer Analyst II; Department of Radiation Oncology; Univ. of Lou.
# Finger for URLs, PGP public key, geek code, PJ Harvey info, et cetera.

Version: 2.6.2


View raw message