Mailing-List: contact users-help@httpd.apache.org; run by ezmlm
Precedence: bulk
Reply-To: users@httpd.apache.org
Date: Wed, 2 Apr 2003 13:04:26 -0500 (Est)
From: Joshua Slive <joshua@slive.ca>
To: users@httpd.apache.org
In-Reply-To: <002701c2f919$635c57d0$daf09d18@alpha>
Message-ID: <Pine.WNT.4.53.0304021301510.1328@Poste3947>
References: <002701c2f919$635c57d0$daf09d18@alpha>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Subject: Re: [users@httpd] safe environment list


On Wed, 2 Apr 2003, Dmitri wrote:
> However, the question is, how to make suEXEC _NOT_ clean up certain
> variables? I looked everywhere and couldn't find any references to
> configuring the list, except the above fragment.
> So i had to edit suexec.c, which doesn't seem like a good solution. There
> don't seem to be any such configure options or anything at all. Is it just
> me or is the list not designed to be configured?

Editting suexec.c is the only solution.

A basic part of the security model of suexec is that it is NOT run-time
configurable.  Violating this rule could allow users to exploit suexec.
By forcing all configuration to compiled into the binary, suexec assures
that an administrator can know exactly what happens when he/she grants
suid permissions to that binary.

Joshua.

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org