Re: --suexec-docroot, any plans to relax the default
Hi Martin,
On Tue, 18 Nov 2003, Martin Foster wrote:
> I've searched the Debian mailing lists and browsed through the Apache
> package's bug report looking for a response or statement from the
> maintainers regarding the restriction of the compile time
> --suexec-docroot flag to '/var/www'. Bug #152564 has been open on this
> issue for almost two years.
>
> I would like to know if the maintainers could state if there is any
> intention of relaxing the flag to '/'. I'm not holding my breath on
> this, but it would be nice to see the bug closed either way.
I am not a suexec expert (.. yet ;)) but after reading the code and the
documentation i think we should consider the bug report as "wontfix".
suexec has a number of very strict check to pass.
You can see the full documentation for suexec security model here:
http://httpd.apache.org/docs/suexec.html#model
and some interesting foot notes here:
http://httpd.apache.org/docs/suexec.html#jabberwock
Changing the suexec documentroot to / means that the same change should be
done in httpd.conf and in /etc/passwd for user www-data (they should all
match IF i didn't miss anything in suexec code, but of course feel free to
correct me if i am wrong).
This simply means that your / would be the documentroot and as you can
understand this is not good.
(i repeat that i am still not an expert :-) so feel even more free to
correct me ;))
> Thanks for the excellent work on the package,
Thanks to you for using and trusting our packages. This is the real
appreciation for our job :-)
Fabio
--
Our mission: make IPv6 the default IP protocol
"We are on a mission from God" - Elwood Blues
http://www.itojun.org/paper/itojun-nanog-200210-ipv6isp/mgp00004.html
Reply to: