httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Fabien COELHO <>
Subject RE: better suexec control proposal
Date Thu, 17 Feb 2000 08:12:23 GMT


> (1) Added an on/off feature for suexec on a per-webserver basis, so I can use
> one binary build for multiple server instances, some of which need suexec and
> some of which don't.
> (2) Added an disable/enable option for suexec on a per-virtual-host basis. I
> wanted to be able to forbid some of my customers from using suexec, if needed.

I need per-directory.

> (3) Modified suexec so that it no longer read the user and group from
> the User and Group configuration directives. It now reads the user to
> switch to from the owner of the file it is about to execute (with
> appropriate restrictions) IF the file ends in the "-set" extension.
> Without the "-set" extension, the program is run as nobody.  This
> allows me to setup the ".cgi" extension to run normally and the
> ".cgi-set" extension to privileged.

Eventually, kind of a 

<File "*-set">
SuExec enable

could do this job, depending on how the suexec control is implemented,
and without hacking the suexec program itself. Also it does not 
solve the "mandatory" suexecution control I wish, because I user can
change the program name at will.

> I think this is a nice way to handle the whole suexec problem, but I
> doubt that a change this far reaching would be accepted.

Yeap. Do you have a patch so that I can have a look at it ? It might help
anyway !

Thanks, have a nice day,


View raw message