httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Ivan Ristic" <ivan.ris...@gmail.com>
Subject Re: My hacked mod_xsendfile
Date Tue, 29 Jan 2008 11:29:58 GMT
I think it will be all right provided the feature is disabled by
default and, as you say, the potential security issue is documented.

On Jan 28, 2008 1:28 PM, Akins, Brian <Brian.Akins@turner.com> wrote:
> On 1/28/08 4:35 AM, "Ivan Ristic" <ivan.ristic@gmail.com> wrote:
> The FastCGI process is likely to be running under a different
> > account, but here we have a facility that allows that other process to
> > use the privileges of the Apache user to fetch a file. I can see how
> > this feature could easily find its way to the list of small tricks
> > that can be used to compromise a web server installation, one step at
> > a time.
>
> Perhaps.  Most of out fastcgi stuff gets executed by httpd, so it has the
> same privileges. Also php under fastgci has access to everything completely
> outside httpd, for example.
>
> I guess if we choose to include support, but the appropriate security
> warnings. Also, this approach will use all the normal httpd file access
> controls rather than just grabbing it "directly."  It is also a "first
> draft" and I'm sure needs work, but I'd like us to push to get xsendfile
> into core.  It's already Apache license, if that helps.
>
> --
>
> Brian Akins
> Chief Operations Engineer
> Turner Digital Media Technologies
>
>



-- 
Ivan Ristic

Mime
View raw message