Hi On 07/11/2008 11:10:56 PM +0200, Christian Seiler <[EMAIL PROTECTED]> wrote: >> I have an application that I'd like to switch to mod_fcgid, but >> unfortunately it doesn't work as I wanted it to. the (php) application >> uses basic authentication (not in apache but in php) but the entered >> information is definitely not sent down to the application with >> mod_fcgid. > > I already said something on this topic on this mailing list but somehow > I didn't provoke much feedback at all.
I reacted on that topic :-). I only felt that patch wasn't necessary because Apache could already be compiled with authorization passthrough. > > Anyway, have a look at the following postings: > > http://www.mail-archive.com/mod-fcgid-users%40lists.sourceforge.net/msg00161.html > http://www.mail-archive.com/mod-fcgid-users%40lists.sourceforge.net/msg00163.html I compile my server binaries and never rely on pre-compiled versions; I _never_ imagined using Apache without suexec which IMHO is a complete nonsense and should be a default behavior. Finally I never imagined running any virtualhost with the Apache user. That way, running Apache compiled with SECURITY_HOLE_PASS_AUTHORIZATION is completely safe. That said, I didn't realize before that the majority of apache users are using pre-compiled distribution binaries, don't look at the config files and only rely on automatic tools. Some users don't even know how to compile a simple C program or have heard of that "security voodoo thing called suexec". (<troll>Many Linux/LAMP system admins are overrated</troll>). It is then better to keep the default apache configuration safe by _not_ opening such security issues and applying the patch you proposed directly at the module level. > If the patch still applies to the current code base (I haven't tried > it), you can use it in combination with > > PassHeader Authorization > > in order to make sure PHP gets the necessary authentication information. Don't worry, the codebase hasn't changed much, I think your patch can still be applied. But although I am following the code changes very closely, I can't apply it to the upstream (I work on my own local branch, and I am unfortunately not the maintainer). I don't know if they are even still active. > PS: Just as a side note, mod_fastcgi has exactly the same problem and I > got even less reaction when posting a patch there: > > http://fastcgi.com/archives/fastcgi-developers/2007-November/004890.html > http://fastcgi.com/archives/fastcgi-developers/2007-December/004902.html > > Seems like all FastCGI implementations for Apache known to me have no > interest at all in this issue. mod_fastcgi is deader than mod_fcgid, and there is very few people willing (or able to) to help or contribute to such a module. But I believe there is many silent users. Feedbacks of such users could be very interesting. Gabriel ------------------------------------------------------------------------- Sponsored by: SourceForge.net Community Choice Awards: VOTE NOW! Studies have shown that voting for your favorite open source project, along with a healthy diet, reduces your potential for chronic lameness and boredom. Vote Now at http://www.sourceforge.net/community/cca08 _______________________________________________ Mod-fcgid-users mailing list Mod-fcgid-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/mod-fcgid-users
