Simon,
> The Apache log files are still created as root, then. So any user with
> access to httpd.conf can use Apache to e.g. overwrite /etc/passwd.
That is of course, if you don't do a pre-launch verification to your
httpd.conf looking references to important files in your system (where
only /etc/httpd/logs/* or /home/httpd/* directories can be allowed to store
logs). Thanks ! i'll add support for an external file (owned by root)
where the host root can define places to use as logs.
Regards,
_______________________________________________________
Urivan Saaib
Presidente
CiberNET Mexico
Email: [EMAIL PROTECTED]
