httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Rich Bowen <rbo...@rcbowen.com>
Subject Re: [users@httpd] Apache permission problem: No fix planned in near future...
Date Wed, 06 Nov 2002 19:46:18 GMT
On Wed, 6 Nov 2002, Rich Bowen wrote:

> On Wed, 6 Nov 2002, zeno wrote:
>
> >  Hello,
> >
> >  I noticed a permission issue in apache when dealing with modules. I recently
> >  installed mod_proxy on apache 1.3.27 and setup caching of requested documents.
I noticed
>
> After extensive discussion on IRC, it appears that this security concern
> can be "fixed in documentation" to zeno's satisfaction. I'll be taking
> care of that this evening.

Just for the record, here's the proposed patch, which would go into the
security tips document.

'embedded scripting options which run as part of the server itself, such
as mod_php, mod_perl, mod_tcl, and mod_python, run under the identify of
the server itself, and therefore scripts executed by these engines
potentially can access anything the server user can.  some scripting
engines may provide restrictions, but it is better to be safe and assume
not.'

Note that my alternate proposed patch was:

 "note that third party modules can do whatever the hell they want, and
 are therefore a festering source of bugs, security holes, and general
 nastiness."

Along with, perhaps:

 "Third party module may be written by any self-styled programmer who
 bought an "in 24 hours" book on amazon.com. Note that they may be less
 competent than your pet weasel. We disclaim all responsibility for
 their code."

but I was overruled by various voices of sanity.


-- 
Who can say where the road goes
Where the day flows
Only time
 --Pilgrim (Enya - A Day Without Rain)


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message