cvs commit: apache/src CHANGES http_core.c

Sat, 28 Jun 1997 15:00:22 -0700 (PDT) 

dgaudet     97/06/28 15:00:18

  Modified:    src       Tag: APACHE_1_2_X  CHANGES http_core.c
  Log:
  Whack people upside the head if they try to run apache as root.
  
  Revision  Changes    Path
  No                   revision
  
  
  No                   revision
  
  
  1.286.2.15 +4 -1      apache/src/CHANGES
  
  Index: CHANGES
  ===================================================================
  RCS file: /export/home/cvs/apache/src/CHANGES,v
  retrieving revision 1.286.2.14
  retrieving revision 1.286.2.15
  diff -C3 -r1.286.2.14 -r1.286.2.15
  *** CHANGES   1997/06/28 19:51:25     1.286.2.14
  --- CHANGES   1997/06/28 22:00:15     1.286.2.15
  ***************
  *** 13,22 ****
         (headers, readmes, titles), mod_negotiation (type maps), or
         mod_cern_meta (meta files).  [Dean Gaudet]
    
      *) CONFIG: "HostnameLookups" now defaults to off because it is far better
         for the net if we require people that actually need this data to
         enable it.  [Linus Torvalds]
  !   
      *) mod_include was not properly changing the current directory.
         [Marc Slemko] PR#742
    
  --- 13,25 ----
         (headers, readmes, titles), mod_negotiation (type maps), or
         mod_cern_meta (meta files).  [Dean Gaudet]
    
  +   *) SECURITY: Apache will refuse to run as "User root" unless
  +      BIG_SECURITY_HOLE is defined at compile time.  [Dean Gaudet]
  + 
      *) CONFIG: "HostnameLookups" now defaults to off because it is far better
         for the net if we require people that actually need this data to
         enable it.  [Linus Torvalds]
  ! 
      *) mod_include was not properly changing the current directory.
         [Marc Slemko] PR#742
    
  
  
  
  1.81.2.1  +15 -1     apache/src/http_core.c
  
  Index: http_core.c
  ===================================================================
  RCS file: /export/home/cvs/apache/src/http_core.c,v
  retrieving revision 1.81
  retrieving revision 1.81.2.1
  diff -C3 -r1.81 -r1.81.2.1
  *** http_core.c       1997/05/08 13:09:24     1.81
  --- http_core.c       1997/06/28 22:00:16     1.81.2.1
  ***************
  *** 886,894 ****
        else {
            cmd->server->server_uid = user_id;
            fprintf(stderr,
  !                 "Warning: User directive in <VirtualHost> requires SUEXEC 
wrapper.\n");
        }
        }
    
        return NULL;
    }
  --- 886,908 ----
        else {
            cmd->server->server_uid = user_id;
            fprintf(stderr,
  !             "Warning: User directive in <VirtualHost> "
  !             "requires SUEXEC wrapper.\n");
        }
        }
  + #if !defined (BIG_SECURITY_HOLE)
  +     if (cmd->server->server_uid == 0) {
  +     fprintf (stderr,
  + "Error:\tApache has not been designed to serve pages while running\n"
  + "\tas root.  There are known race conditions that will allow any\n"
  + "\tlocal user to read any file on the system.  Should you still\n"
  + "\tdesire to serve pages as root then add -DBIG_SECURITY_HOLE to\n"
  + "\tthe EXTRA_CFLAGS line in your src/Configuration file and rebuild\n"
  + "\tthe server.  It is strongly suggested that you instead modify the\n"
  + "\tUser directive in your httpd.conf file to list a non-root user.\n");
  +     exit (1);
  +     }
  + #endif
    
        return NULL;
    }

Reply via email to