httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Greg Stein <gst...@lyra.org>
Subject Re: I'm changing my mind about config modules
Date Mon, 17 Apr 2000 19:35:03 GMT
On Mon, 17 Apr 2000, Scott Hess wrote:
> On Fri, Apr 14, 2000 at 12:00:05PM -0700, Greg Stein wrote:
>...
> > Given the re-fork, you're basically talking about a graceful restart. At
> > that point, you may as well decide to just punt the whole dynamic config
> > and go back to re-reading a (changed) config file.
> 
> Having the child propagate config changes to the parent may open security
> holes (because the child runs as nobody and the parent runs as root).
> Having the child write a new config file _definitely_ will open security
> holes (because the config file has to be writable by children, so almost
> any security hole allows exploits that rewrite the config - also, the
> child would probably need to be able to signal the parent).

Excellent point.

> What's fundamentally wrong with seperating the config stuff into a
> seperate server?  That can address both of those problems, because the
> config server can have different permissions and availability than the
> primary server.  Perhaps that can even be worked into a single server,
> somehow, with the primary parent spawning seperate config children which
> don't listen on the same ports or run with the same permissions.

There is nothing fundamentally wrong with this, and it is something that
(I believe) Daniel outlined as a possible option.

The point is: a separate configuration server and the associated
server-to-server protocols is a large step from where we are today.
Something like that can be preconditioned on a way to transmit config
information, which is preconditioned on a way to use different config
input mechanisms. In other words, the plan that we posted is *one* step in
a path that can lead to dynamic config.

We simply said "here is the first step; we are not interested in the
following steps at this point."

By all means, everybody can and should feel free to discuss those future
steps. Personally, I like a bit more focus and will concentrate on the
config reading process *now* and worry about dynamic config *later*.

Cheers,
-g

-- 
Greg Stein, http://www.lyra.org/


Mime
View raw message