On Wed, 14 Nov 2001, Aaron Bannert wrote: > Implementation Details: > > - Apache forms absolute paths for each of the above suexec pathnames, > even if they are presented in a relative form. > > - The logpath and suexec docroot (not the main docroot) are passed as > new parameters to the suexec call. (This seems OK to me, since we're > already "trusting" the other argv params passed to suexec.)
NO! These things can not be passed on the command line. That is a gaping security hole. suexec is designed in a very restrictive manner on purpose with the assumption that anything passed on the command line is suspect, and should be treated as such. That is why there is a hardcoded docroot, etc.
