httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Ralf S. Engelschall" <...@engelschall.com>
Subject Re: apaci
Date Sun, 26 Apr 1998 08:21:53 GMT

In article <19980425155222.C24518@io.com> you wrote:
> On Sat, Apr 25, 1998 at 08:11:52PM +0200, Ralf S. Engelschall wrote:
>> Adding or just activating third-party modules, enabling suEXEC
>> feature, all-in-one "make install"

> Hmm, this brings up a possible concern. From manual/suexec.html:

>    Fourth, and last, it has been the decision of the Apache Group to NOT 
>    make suEXEC part of the default installation of Apache. To this end,  
>    suEXEC configuration is a manual process requiring of the
>    administrator careful attention to details. It is through this process
>    that the Apache Group hopes to limit suEXEC installation only to those
>    who are determined to use it.

> Has this changed? Another possible concern is that some of the default
> config parameters for suEXEC may not be valid all on platforms, which
> could lead to possible security holes. For example, UID_MIN and
> GID_MIN should be set to 500 for Red Hat Linux systems. I don't see a
> way offhand to set these parameters.

Hmmm.... although suEXEC is not part of the _default_ installation (you need
an extra option to force suEXEC support), the UID_MIN and GID_MIN stuff is
good point. We could add two more options lile --suexec-uidmin and
--suexec-gidmin. How about this? Or should we completely drop the suEXEC
support in APACI?
                                       Ralf S. Engelschall
                                       rse@engelschall.com
                                       www.engelschall.com

Mime
View raw message