httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Gary Shea <s...@gtsdesign.com>
Subject Re: Contribution: SuEXEC Options
Date Tue, 17 Nov 1998 06:17:37 GMT
On Mon, 16 Nov 1998, Oezguer Kesim wrote:
> > -- is the Option SuEXEC (or whatever semantics we end up using)
> >     approach compatible with the current suexec?  I think it is,
> >     in that as far as I can see no security holes get opened;
> 
> It is compatible since:
> 	- if you don't use the Option SuExec, you have it on per
> 	  <VirtualHost> and ~user request.

Yep.

> 	- If no suexec.conf exists, the default/current behaviour is used.

I don't think either of our suexecs will be distributed with Apache.
Therefore the presence or absence of a suexec.conf is irrelevant.
Once we've installed our suexecs, the Apache folks don't care what
it does -- it's our problem and our names in the CERT bulletin ;)

If we're going to persuade the Apache folks to include hooks so that
we can have a nice suexec implementation, we need to cover all the
bases and ask all the questions that they are naturally going to
ask, and one of those questions is "how does adding this option
affect the 'stock' version of Apache with and without the 'stock'
suexec enabled?".

> >     on the other hand, Option SuEXEC makes no sense at all unless
> >     there is a 'second generation' suexec out there that can
> >     really take advanage of it.  Could be confusing for apache
> >     maintainers.
> 
> We need that kind of Option, in order to tell httpd, that scripts in
> those <Directories> or <Locations> or <VirtualHosts> should be executed
by
> a suEXEC.  Therefore, httpd takes advantage of it, not suEXEC.

I agree that we need something like Option SuEXEC so that a more
useful suexec can be implemented.

However, I also think a valid criticism we should address rather
than ignoring is that Option SuEXEC doesn't really make
any sense with the default suexec.  You can use Option
SuEXEC to tell the httpd to call
suexec anywhere you want, but since suexec isn't even BUILT by
default, using Option SuEXEC in the 'stock' configuration
can only screw things up (or at best slow the server down).
Even if the stock suexec is built, calling suexec via Option SuEXEC
is almost guaranteed to break, unless one has used Option SuEXEC only in
properly configured virtual host or ~user areas, where
it would have been automatically called anyway.

It seems to me that the Option SuEXEC should be enabled only
by a specifically requested compiler flag so that it doesn't
exist to confuse the average user.  That way Apache can give
us the hook without fouling up those who won't be using it.
In addition to --enable-suexec we might add something like
--enable-option-suexec.

> cheers,
>   oec

-----------------------------------------------------------------
Gary Shea                                       shea@xmission.com
Salt Lake City                      http://www.xmission.com/~shea


Mime
View raw message