httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "William A. Rowe, Jr." <wr...@rowe-clan.net>
Subject Re: Apache requires read permissions for parent directories of configuration files
Date Mon, 22 Jun 2009 18:38:36 GMT
William A. Rowe, Jr. wrote:
> Ivan Zhakov wrote:
> 
>> * is it possible to remove APR_FILEPATH_TRUENAME argument in the trunk
>>   of Apache HTTP Server? (see attached patch)
> 
> -1, veto for such a change.
> 
> Change this and httpd and even third party modules can ultimately discover
> their configuration file is invalid, leading to security exposures.

FWIW - I'm willing to entertain a change to record each failed true name
resolution lookup in the error log (Failed to resolve true pathname of
C:\ABC, file permissions problem?).  This will become extremely noisy in
the error log very quickly when it happens several times per request, but
I suspect it's better than failure that admins can't explain.

Mime
View raw message