forwarded 356285 http://issues.apache.org/bugzilla/show_bug.cgi?id=40950 tags 356285 patch thanks Hi, > This note from the htpasswd source: > > "NOTE! This program is not safe as a setuid executable! Do not make it > setuid!" > > should also be in the man page. This sounds sensible, also outside of Debian. I've forwarded your request with a patch to upstream. I'm attaching the patch here aswell. Thijs
Index: docs/manual/programs/htpasswd.xml
===================================================================
--- docs/manual/programs/htpasswd.xml (revision 473940)
+++ docs/manual/programs/htpasswd.xml (working copy)
@@ -188,6 +188,9 @@
<em>not</em> be within the Web server's URI space -- that is, they should
not be fetchable with a browser.</p>
+ <p>This program is not safe as a setuid executable. Do <em>not</em> make it
+ setuid.</p>
+
<p>The use of the <code>-b</code> option is discouraged, since when it is
used the unencrypted password appears on the command line.</p>
</section>
Index: docs/manual/programs/htdigest.xml
===================================================================
--- docs/manual/programs/htdigest.xml (revision 473940)
+++ docs/manual/programs/htdigest.xml (working copy)
@@ -66,4 +66,9 @@
</dl>
</section>
+<section id="security"><title>Security Considerations</title>
+ <p>This program is not safe as a setuid executable. Do <em>not</em> make it
+ setuid.</p>
+</section>
+
</manualpage>
Attachment:
signature.asc
Description: This is a digitally signed message part