httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Rob Saccoccio" <>
Subject RE: [Fwd: Re: [RFC} mod_suexec... changing the ap_hook_get_suexec_identity]
Date Wed, 07 Aug 2002 00:57:32 GMT
>  > > Why do you want to be able to start other suexec'd things at startup?
>  > > Wouldn't the security model for SuExec make this complex?
> For example,
>  > > the program being run must be within the Apache web space.  Why would
>  > > you want to run a program in that space at startup?
>  > >
>  > for FastCGI.
>  > it needs to spawn some procs which do CGI. so it suExec's the program
>  > which sits there for all the requests to use.
> But I don't think you want to use SuExec for this.  This problem is that
> the FastCGI binary would have to be in the Apache web space, which means
> that a well formed request could actually launch another copy of the
> FastCGI daemon.

No, it won't.  Such a request would *use* the spawned FastCGI application.

> I think you are better off having code in the binary that gets the
> user/group from the Apache binary (probably passed on the command line),
> and have the binary do the setuid itself.  This also has the advantage
> that when you aren't running Apache as root, the FastCGI binary most
> likely doesn't have the permission required to do a setuid, but since you
> are already running as the correct user, you are okay.

This is functionality that has been available in mod_fastcgi for years under

If the proposal is going to cause heartburn, I can work around it by
requiring a user/group be specified with the directive under Apache2.

The intent of the suggestion was to allow backward compatibility with
existing suexec based mod_fastcgi installations and because the currrent
ap_hook_get_suexec_identity() doesn't really need the request_rec that it
currently asks for (if SuexecUserGroup were ever allowed at level lower than
virtual host it *would* be needed of course).


View raw message