httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Manoj Kasichainula <ma...@io.com>
Subject Re: [PATCH] security - run mod_cgid's daemon under same user as Apache
Date Thu, 08 Jun 2000 10:10:43 GMT
On Wed, Jun 07, 2000 at 05:56:48PM -0600, Marc Slemko wrote:
> This still allows people who can compromise the user Apache runs as to
> make random requests to cgid.  Is that an issue?  I don't know, I don't
> know anything about cgid.
> 
> The "normal" way to do things would be to open the Unix socket in the
> parent as root, and keep it open so it is inherited by the child
> processes.  I don't know if that works for this.

If the children don't need to reopen the socket, this is the best
solution.

Otherwise, an alternate solution would be what mod_jserv does: Have a
secret key that is used to authenticate a connection. Now, since I
believe mod_cgid has the luxury of having been forked but not execed,
it doesn't have to store the key on disk like jserv does; the key
could be some random number (though you'd have to be very careful that
this was a truly random number, and not something guessable).


Mime
View raw message