Return-Path: Delivered-To: new-httpd-archive@hyperreal.org Received: (qmail 9338 invoked by uid 6000); 11 Mar 1999 19:51:48 -0000 Received: (qmail 9315 invoked from network); 11 Mar 1999 19:51:44 -0000 Received: from alma.lightrealm.com (HELO cyberspace-solutions.net) (207.159.130.4) by taz.hyperreal.org with SMTP; 11 Mar 1999 19:51:44 -0000 Received: from VCPROXY.vencor.com (vc0699ntin.vencor.com [207.15.10.10]) by cyberspace-solutions.net (8.8.5/8.8.5) with ESMTP id MAA19346 for ; Thu, 11 Mar 1999 12:51:00 -0700 (MST) Date: Thu, 11 Mar 1999 14:51:00 +0000 (!!!First Boot!!!) From: "Jason A. Dour" To: new-httpd@apache.org Subject: Re: suexec: lstat vs stat In-Reply-To: Message-ID: X-X-Sender: d001@dour.org MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: new-httpd-owner@apache.org Precedence: bulk Reply-To: new-httpd@apache.org On Thu, 11 Mar 1999, Ian Kallen wrote: > I have'nt had need to use it except for some Truly Evil Experiments but it > always seemed to me that the suexec dials and levers are pretty limited; > maybe the runtime configuration for suexec should be more instrumented > than merely checking for it in sbin/ -- the scenario below could be > regulated as an Option with SymLinksIfOwnerMatch, right? OTOH, why should > people be rescued from themselves; if they want to share needles or > skydive without a backup parachute or do other patently dump things and > they're apprised of the risks then we can't really fret over their demise: > it's their wittingly made choice. Except that it could reflect negatively upon Apache in the long run. Two decisions were made about suEXEC early on: 1. It should not be a part of the default install since it could easily lead to security breaches in the hands of the less knowledgable. 2. It should be as stringent as possible while still doing its job, since we didn't want to see a CERT advisory about Apache because of a non-default feature. Sure...those are both a little selfish on the part of the Apache Group...but I think they are justifiable decisions... As far as the SymLinksIfOwnerMatch...IDK...suEXEC has to be EXTREMELY paranoid about everything since we have no secure means of certifying who/what is running the suEXEC binary. We've chased our tails on how to authenticate the server to the suEXEC binary, and there simply is no easy, low-overhead method of authentication that we could find. That was the stumbling block behind having suEXEC entend past VHosts and UserDirs.... Jason # "Jason A. Dour" (http://dour.org/jason/) # Finger for URLs, PGP Key, Geek Code, PJ Harvey info, et cetera.