www-apache-bugdb mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Gary Shea <s...@gtsdesign.com>
Subject suexec/1769: suexec too limited -- need per-directory control, more permissive directory structures
Date Wed, 04 Feb 1998 05:41:19 GMT

>Number:         1769
>Category:       suexec
>Synopsis:       suexec too limited -- need per-directory control, more permissive directory
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    apache
>State:          open
>Class:          sw-bug
>Submitter-Id:   apache
>Arrival-Date:   Tue Feb  3 21:50:00 PST 1998
>Originator:     shea@gtsdesign.com
>Release:        1.3*
any os/any compiler/etc.
I work with an ISP providing quite complex web app's, and rely heavily on
the sugid patches to cgi (available up to 1.2b10) to configure what user
a cgi is run as.  Due to changes in Apache, sugid can't be implemented (as
far as I can see) in 1.3, but the restrictions of suexec are too painful!
We often have multiple applications running in subdirectories of a single
cgi-bin, each with its own user (consider mail trapping, etc...).  I don't
want suppport necessarily, but am struggling with large scale hacking necessary
to add per-directory control of what user/group a script is run as.  Not to
mention the requirement that all virtuals be in a single document space..
I am amazed that this is being accepted by folks.  Am I missing something?
That seems like a tremendously and unjustifiably restrictive requirement.

I'm currently digging through the code, but am still too clueless to suggest
anything.  I want suexec to be able to duplicate the abilities of sugid, if
you are familiar with sugid... per-directory control of userid/groupid.  I
expect I'll have to hack the core to implement this functionality.  Eeek!
What I really want is a policy reading from the Apache folk saying "We don't
care about this problem, you're on your own" or if I'm lucky "here's some
suggestions, go do it and send us the patches"
[In order for any reply to be added to the PR database, ]
[you need to include <apbugs@Apache.Org> in the Cc line ]
[and leave the subject line UNCHANGED.  This is not done]
[automatically because of the potential for mail loops. ]

View raw message