httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Joshua Slive <jos...@slive.ca>
Subject Re: [users@httpd] safe environment list
Date Wed, 02 Apr 2003 18:04:26 GMT


On Wed, 2 Apr 2003, Dmitri wrote:
> However, the question is, how to make suEXEC _NOT_ clean up certain
> variables? I looked everywhere and couldn't find any references to
> configuring the list, except the above fragment.
> So i had to edit suexec.c, which doesn't seem like a good solution. There
> don't seem to be any such configure options or anything at all. Is it just
> me or is the list not designed to be configured?

Editting suexec.c is the only solution.

A basic part of the security model of suexec is that it is NOT run-time
configurable.  Violating this rule could allow users to exploit suexec.
By forcing all configuration to compiled into the binary, suexec assures
that an administrator can know exactly what happens when he/she grants
suid permissions to that binary.

Joshua.

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message