httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
Subject Re: Deja vu
Date Wed, 03 Jan 2001 03:58:56 GMT

> >> >So we need to make it threadsafe when its missing, then?
> >> 
> >> You have to wrap it in a mutex and copy the data somewhere safe.
> >
> >If you are going to do that, you have to make sure that it doesn't call
> >any other functions that might be shared with another part of libc.  :-)
> Yes, in particular for this case all other functions that access the
> passwd database.

This needs to be VERY well documented if we are going to try to implement
it.  Basically, this means that suexec and userdir can't really be put
into the same server on a machine with a threaded MPM and without _r
functions.  Doing so will open a potential security whole.  Both userdir
and SuEXec use the C Run-Time functions to get information from the
password database, and if they happen to do so at the same time from the
same process, we have problems.


Ryan Bloom               
406 29th St.
San Francisco, CA 94131

View raw message