Mailing-List: contact dev-help@httpd.apache.org; run by ezmlm
Precedence: bulk
Reply-To: dev@httpd.apache.org
Message-ID: <3D4FE656.2080302@apache.org>
Date: Tue, 06 Aug 2002 08:08:06 -0700
From: Ian Holsman <ianh@apache.org>
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.0.0) Gecko/20020713
MIME-Version: 1.0
To: dev@httpd.apache.org
Subject: Re: [RFC} mod_suexec...  changing the  ap_hook_get_suexec_identity
References: <3D4F1900.2080102@apache.org> <002d01c23ce1$a6ed4170$4800000a@KOJ>
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit

Ryan Bloom wrote:
>>From: Ian Holsman [mailto:ianh@apache.org]
>>
>>hi guys.
>>currently the hook takes a request_rec as a parameter.
>>
>>but from what I can see it only ever can be set at the server
>>level/vhost level.
>>
>>so .. if no one objects I'm going to change it to be passed a
>>server_rec* into or a
>>request_rec one.
>>
>>
>>affected files would be modules/generators/mod_suexec.c
>>&
>>unixd/unixd.c both of which have the server-rec.
>>
>>this change is to allow other things to start suexec'd things at
> 
> startup.
> 
> Why do you want to be able to start other suexec'd things at startup?
> Wouldn't the security model for SuExec make this complex?  For example,
> the program being run must be within the Apache web space.  Why would
> you want to run a program in that space at startup?
> 
for FastCGI.
it needs to spawn some procs which do CGI. so it suExec's the program 
which sits there for all the requests to use.


> If you do want to run a program at startup, won't it work to just suid
> the program you want to run?  The SuExec security model is tuned to
> being run at request time, and I want to be sure that we don't weaken
> that model to allow running SuExec at startup. 


> 
> Ryan
> 
>