httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Gary Shea <s...@gtsdesign.com>
Subject RE: better suexec control proposal
Date Thu, 17 Feb 2000 09:10:40 GMT

Based on some earlier discussions on this site (I can't remember
who suggested the idea) I've been thinking about a
version of suexec which is entirely table-driven, with its
own configuration outside of Apache.  To trigger use of this
suexec, one would specify some value for User/Group (it could
even be the User/Group that the server is running as)
in a virtual/directory, thereby causing Apache to fork suexec.
Suexec determines what user/group to run the file as
by looking in a configuration file for a mapping between
the directory of the file and a user/group.  If there is
one, it gets run, if there isn't, it doesn't. The configuration
file is a lot of overhead for a high-performance site,
but right now the sites I'm using my old suexec patches on
(which also use a configuration file) are not too heavily
loaded.

The main reason for building suexec this way is that 1) it
gives me the ability to specify the user/group at the
per-directory level, a necessity for my environment, and
2) it unties me from changes in Apache (suexec never seems
to change noticeably).  My old set of suexec patches required a few
hours of work for every Apache release, which are all too
frequent given how busy I am! ;)

I'm wondering if any of the readers who are more security-aware
than I am would be willing to review the code for weaknesses.

	Gary Shea


Mime
View raw message