httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Bart van der Schans <sch...@hippo.nl>
Subject Re: suexec for directories
Date Tue, 12 Sep 2006 16:29:25 GMT
Ben Charlton wrote:
> I'm currently involved in building a new webserver environment to
> replace a 6 year old server running a large website with a fairly broken
> publishing model.
> 
> One of the things we'd like to do is lock down PHP so that we're no
> longer using mod_php running all as one user, and this means using
> cgi mode under suexec. The kicker is that we can't use a separate vhost
> for each department/publishing group for various political reasons.
> 
> Naturally, the suexec documentation says "do not edit this on pain of
> death", etc, but we don't seem to have any choice if we want to support
> suexec configuration local to the <directory> stanza. I can understand
> why only virtualhosts were supported under 1.3, as suexec seems to be a
> massive hack that co-opts the User and Group directives, but mod_suexec
> under apache 2.2 seems much cleaner.
> 
> What I would like to know is, a) is there a big obvious answer to this
> that I'm missing, and b) does the following diff for mod_suexec.c open
> up subtle and terrifying security holes that we've managed to overlook?
Did you have a look at mod_suphp? http://www.suphp.org/Home.html

Regards,
Bart

> 
> 
> 63c63
> <     const char *err = ap_check_cmd_context(cmd, NOT_IN_DIR_LOC_FILE|NOT_IN_LIMIT);
> ---
>>     const char *err = ap_check_cmd_context(cmd, NOT_IN_LIMIT);
> 
> 118c118
> <     AP_INIT_TAKE2("SuexecUserGroup", set_suexec_ugid, NULL, RSRC_CONF,
> ---
> 
>>     AP_INIT_TAKE2("SuexecUserGroup", set_suexec_ugid, NULL, RSRC_CONF|ACCESS_CONF,
> 
> 
> Many thanks,
> Ben 


-- 

Hippo
Oosteinde 11
1017WT Amsterdam
The Netherlands
Tel  +31 (0)20 5224466
-------------------------------------------------------------
schans@hippo.nl / http://www.hippo.nl
--------------------------------------------------------------

Mime
View raw message