httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Marc Slemko <ma...@worldgate.com>
Subject Re: [PATCH] remove bogus LockFile warning from docs
Date Mon, 22 Dec 1997 22:21:34 GMT
On Mon, 22 Dec 1997, Dean Gaudet wrote:

> Um, sure if you're on a system that does intelligent things with O_CREAT |
> O_EXCL and intervening symlinks.  I don't trust all systems to do that, so
> this warning applies to some folks.  I think just putting a blanket
> warning in there like this is better than us trying to compile/maintain a
> list of systems that do the right thing.

I really really would suggest that any system which doesn't honor
O_CREAT|O_EXCL properly is so bogus that it isn't worth thinking about.
This is far from your only security problem on such a system... the
problem is that a warnin like what was there directly conflicts with
advice to "put it in /var/tmp" that we (I) give.

> 
> DoS alone is a good enough reason for me. 
> 
> Dean
> 
> On Mon, 22 Dec 1997, Marc Slemko wrote:
> 
> > None of the issues with placement of the LockFile apply, so the below
> > warning about the LockFile directive is not necessary.  The only risk is
> > that someone else could create a file with that name and prevent the
> > server from starting; well, a lot of files unless they can guess the pid.
> > 
> > Index: core.html
> > ===================================================================
> > RCS file: /export/home/cvs/apachen/htdocs/manual/mod/core.html,v
> > retrieving revision 1.87
> > diff -u -r1.87 core.html
> > --- core.html	1997/12/14 01:04:56	1.87
> > +++ core.html	1997/12/22 21:07:52
> > @@ -1029,9 +1029,6 @@
> >  must be stored on a local disk</b>.  The PID of the main
> >  server process is automatically appended to the filename. <p>
> >  
> > -The LockFile is subject to the same warnings about log file placement and
> > -<a href="../misc/security_tips.html#serverroot">security</a>.
> > -
> >  <P><HR>
> >  
> >  <h2><A name="maxclients">MaxClients directive</A></h2>
> > 
> > 
> 


Mime
View raw message