httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Jason A. Dour" <>
Subject Re: suexec: lstat vs stat
Date Thu, 11 Mar 1999 14:51:00 GMT
On Thu, 11 Mar 1999, Ian Kallen wrote:
> I have'nt had need to use it except for some Truly Evil Experiments but it
> always seemed to me that the suexec dials and levers are pretty limited;
> maybe the runtime configuration for suexec should be more instrumented
> than merely checking for it in sbin/ -- the scenario below could be
> regulated as an Option with SymLinksIfOwnerMatch, right?  OTOH, why should
> people be rescued from themselves; if they want to share needles or
> skydive without a backup parachute or do other patently dump things and
> they're apprised of the risks then we can't really fret over their demise:
> it's their wittingly made choice.

Except that it could reflect negatively upon Apache in the long run.

Two decisions were made about suEXEC early on:

1.  It should not be a part of the default install since it could easily
    lead to security breaches in the hands of the less knowledgable.

2.  It should be as stringent as possible while still doing its job, since
    we didn't want to see a CERT advisory about Apache because of a
    non-default feature.

Sure...those are both a little selfish on the part of the Apache
Group...but I think they are justifiable decisions...

As far as the SymLinksIfOwnerMatch...IDK...suEXEC has to be EXTREMELY
paranoid about everything since we have no secure means of certifying
who/what is running the suEXEC binary.  We've chased our tails on how to
authenticate the server to the suEXEC binary, and there simply is no easy,
low-overhead method of authentication that we could find.

That was the stumbling block behind having suEXEC entend past VHosts and

# "Jason A. Dour" <>       (
# Finger for URLs, PGP Key, Geek Code, PJ Harvey info, et cetera.

View raw message