httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Akins, Brian" <>
Subject Re: My hacked mod_xsendfile
Date Mon, 28 Jan 2008 13:28:46 GMT
On 1/28/08 4:35 AM, "Ivan Ristic" <> wrote:
The FastCGI process is likely to be running under a different
> account, but here we have a facility that allows that other process to
> use the privileges of the Apache user to fetch a file. I can see how
> this feature could easily find its way to the list of small tricks
> that can be used to compromise a web server installation, one step at
> a time.

Perhaps.  Most of out fastcgi stuff gets executed by httpd, so it has the
same privileges. Also php under fastgci has access to everything completely
outside httpd, for example.

I guess if we choose to include support, but the appropriate security
warnings. Also, this approach will use all the normal httpd file access
controls rather than just grabbing it "directly."  It is also a "first
draft" and I'm sure needs work, but I'd like us to push to get xsendfile
into core.  It's already Apache license, if that helps.

Brian Akins
Chief Operations Engineer
Turner Digital Media Technologies

View raw message