httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Marc Slemko <ma...@worldgate.com>
Subject Re: FW: general/3563: I want to allow the definition and use of macros within runtime configuration files.
Date Tue, 22 Dec 1998 01:52:13 GMT
On Mon, 21 Dec 1998, Roy T. Fielding wrote:

> Ummm, don't you guys think it would be a little risky having
> a turing complete config language run by root every time the
> server is started?

Don't you guys think it is risky to have the current turing complete[0]
config language run by root every time the server is started?

I'm not sure where your concern comes from.  It is a given that the
current setup is such that if you can control the server configuration,
you can typically get root.  If your config files are generated by some
program, then anyone that can impact the running of that program can get
root.  It doesn't matter if they can impact it by exploiting some security
hole that gives them a backdoor as it is being run or if they can simply
control the output if it were run by a different user.

[0] if you include the things you can currently do or execute from a
config file plus the typical Unix shell environment, you should be able to
make an argument for the current language being turing complete. 


Mime
View raw message