At 01:14 PM 3/3/2003, Bill Stoddard wrote: >William A. Rowe, Jr. wrote: >>At 12:30 PM 3/3/2003, Bill Stoddard wrote: >>>I don't like the idea of enabling this hook at configure time. Why not add the hook >>>and leave it to modules whether they want to use it or not? >> >>Because it is a potential security hole? The only individual who should choose to >>expose or prevent the hole would be the administrator who installs (and therefore >>probably built) Apache. > >That same admin controls which modules are loaded as well.
And they psychically know that a module is using this hook, or not, as the case may be? I rather like the "permit this or not" level of control by the Administrator, without relying on module authors. The paranoid Admin is unlikely to trust either the application or loadable modules anyways, so giving them as many overrides as possible to reduce exploitable behavior is goodness. >>>I don't see the value in crufting up configure more that it already is. >> >>Can we piggy-back such features into a single --unwise-but-useful configure option? > >Obviously not. If it is -really- unwise, then we should just not do it. I see no >evidence that is the case though. How, exactly, could this hook be remotely and >uniquely exploited? Code running post-segv after a stack overflow is subject to any number of 'side-effects', Mark could provide better pointers to exploit code than I can. IIUC you propose this hook in the child that is segfaulting. If I've misunderstood and this is code in the parent after the child segfaults, ignore my musings. Bill
