httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Simon Huggins <hug...@earth.li>
Subject [PATCH] mod_include 1.3.x - limiting EXEC to a certain directory
Date Fri, 28 Jan 2000 23:07:23 GMT
Hi,

A while ago (just before the new year) I wrote a patch for Apache 1.3.9
to limit executable includes to one directory (or any directories off
that).

The rationale was that we (Black Cat Networks) wanted to allow people to
include *our* scripts in a specific directory but didn't want people to
include random executables on our system.

I've attached the patch against 1.3.9 but since I have had lots of other
things to think about (like uni exams) I haven't got around to looking
at any newer versions of Apache.

If people like the idea then it should (hopefully) be trivial to port to
newer versions and I will be glad to do this.

We've been running this patch on our server for almost a month now and
we've not had any problems.

I'd appreciate it if people would look it over from a security viewpoint
though since this is my first Apache patch and I don't claim to know the
API that well.


What it does:

It adds a TrustedIncludesDir directive which takes a directory as a
parameter and then when you specify +IncludesNOEXEC it will allow
execution of scripts if and only if they are in that directory.

In order to get the old behaviour of +IncludesNOEXEC just don't specify
that directive.

We have /include aliased to /home/www/ssi/ and then specify
TrustedIncludesDir /home/www/ssi


All comments, flames, etc. appreciated.


Simon.
-- 
UK based domain, email and web hosting ***/       "If this is monkey pee /*
http://www.blackcatnetworks.co.uk/     **/       you're on your own." - /**
sales@blackcatnetworks.co.uk           */                       Scully /***
Black Cat Networks                     /                              /****

Mime
View raw message