httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Sleazy Weazle" <>
Subject Re: suexec & ScritpAlias/ScriptAliasMatch
Date Sat, 30 Mar 2002 21:07:57 GMT

>Subject: Re: suexec & ScritpAlias/ScriptAliasMatch
>Date: Sat, 30 Mar 2002 12:59:58 -0500
>Received: from [] by (3.2) with ESMTP id 
>MHotMailBE6F4A4F00C54136E84B3FFB388E125B0; Sat, 30 Mar 2002 10:09:19 -0800
>Received: (qmail 35714 invoked by uid 500); 30 Mar 2002 18:00:38 -0000
>Received: (qmail 35701 invoked from network); 30 Mar 2002 18:00:37 -0000
>>From dev-return-27856-sweazle Sat, 30 Mar 2002 10:10:28 -0800
>Mailing-List: contact; run by ezmlm
>Precedence: bulk
>list-help: <>
>list-unsubscribe: <>
>list-post: <>
>Delivered-To: mailing list
>Message-Id: <>
>X-Spam-Rating: 1.6.2 0/1000/N
> > I am just starting to look at the server code and have been playing with 
> > suexec code. Want to try to pass additional parameters to suexec, in
> > paticular the value of the ScriptAlias or ScriptAliasMatch (after regex) 
> > the VirtualHost. Believe I have found where suexec is called but unable 
> > figure out where the ScriptAlias/Match value is or how to pass it. Any 
> > greatly appreciated.
>Why modify the httpd code?  Why not just (carefully) modify the suEXEC 
>suEXEC requires that Apache chdir into the directory with the target script
>before starting suEXEC.  Therefore, getcwd() will return the absolute path
>equivalent to ScriptAlias or ScriptAliasMatch.  (They'll be identical if
>there are no symlinks in the path.)
>Anyway, what are you planning on doing with the ScriptAlias or
>ScriptAliasMatch value in suEXEC?
>BTW, if you want a quick way to pass additional params to suEXEC, you could
>use SetEnv in Apache.  Then, suEXEC would have the value available to it
>until the part of suEXEC near the end of the code which purges the
>environment of all but known good CGI vars.
>Of course, you should never blindly trust environment values.  Same thing
>with params passed to an suid program such as suEXEC.  That's why you
>should have a really, really good reason for needing to pass additional
>params to suEXEC.  The current parameters (target uid, target gid, and
>target program) are all rigorously checked by suEXEC before being used.
>If you plan on using any new info from the environment or from an
>additional param, then make sure it is properly validated before you
>use it!

The initial reason was because I could fully understand the suexec code and 
was playing with it on a server (on a non-standard port with an ipchains 
firewall script that only allows my ip to access that port) and was trying 
to think of a way to maybe add some things to allow it to work with some 
form of mass virtual hosting. The purpose of passing additional parameters 
and the use of the ScriptAliasMatch was based on a thought to do some double 
checking on other data that may be passed to suexec to make sure it is OK. 
At this point, it is all for me to learn more about Apache, the security 
model of suexec, modify it and see if I can break it, etc.

Get your FREE download of MSN Explorer at

View raw message