httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Rodent of Unusual Size <Ken.C...@Golux.Com>
Subject Re: [PATCH] Enhancement to mod_auth
Date Sat, 08 Sep 2001 12:49:47 GMT
* On 2001-09-08 at 08:34,
  William A. Rowe, Jr. <wrowe@rowe-clan.net> excited the electrons to say:
> 
> I've seen similar requests for require group.  While you are cautiously
> modifing the 1.3 code base, would you please consider both?

As I said in the preface, the actual patch does both 'require file-owner'
and 'require file-group'.

> Other than that, coolness, but please document that this is not a SECURE
> method from a multi-user system, since anyone can create an .htpasswd file
> that might cause the user to appear as a root or admin user, but is not.

How do you mean?  Linux does not let you chgrp a file to any group
of which you are not a member; neither does T64U, nor FreeBSD, nor
any other Unixish system with which I am familiar..  Can you spell
out the scenario you have in mind?

> This must be documented as a convience facility, not a security facility.

I will wait for your explanation before I commit to this, since I
do not see the hole.
-- 
#ken	P-)}

Ken Coar, Sanagendamgagwedweinini  http://Golux.Com/coar/
Author, developer, opinionist      http://Apache-Server.Com/

"All right everyone!  Step away from the glowing hamburger!"

Mime
View raw message