On 07/11/2008 11:10:56 PM +0200, Christian Seiler <[EMAIL PROTECTED]> wrote:
>> I have an application that I'd like to switch to mod_fcgid, but  
>> unfortunately it doesn't work as I wanted it to. the (php) application  
>> uses basic authentication (not in apache but in php) but the entered  
>> information is definitely not sent down to the application with  
>> mod_fcgid.
> I already said something on this topic on this mailing list but somehow
> I didn't provoke much feedback at all.

I reacted on that topic :-). I only felt that patch wasn't necessary 
because Apache could already be compiled with authorization passthrough.

> Anyway, have a look at the following postings:
> http://www.mail-archive.com/mod-fcgid-users%40lists.sourceforge.net/msg00161.html
> http://www.mail-archive.com/mod-fcgid-users%40lists.sourceforge.net/msg00163.html

I compile my server binaries and never rely on pre-compiled versions; I 
_never_ imagined using Apache without suexec which IMHO is a complete 
nonsense and should be a default behavior. Finally I never imagined 
running any virtualhost with the Apache user. That way, running Apache 
compiled with SECURITY_HOLE_PASS_AUTHORIZATION is completely safe.

That said, I didn't realize before that the majority of apache users are 
using pre-compiled distribution binaries, don't look at the config files 
and only rely on automatic tools. Some users don't even know how to 
compile a simple C program or have heard of that "security voodoo thing 
called suexec". (<troll>Many Linux/LAMP system admins are 
overrated</troll>). It is then better to keep the default apache 
configuration safe by _not_ opening such security issues and applying 
the patch you proposed directly at the module level.

> If the patch still applies to the current code base (I haven't tried
> it), you can use it in combination with
> PassHeader Authorization
> in order to make sure PHP gets the necessary authentication information.

Don't worry, the codebase hasn't changed much, I think your patch can 
still be applied. But although I am following the code changes very 
closely, I can't apply it to the upstream (I work on my own local 
branch, and I am unfortunately not the maintainer). I don't know if they 
are even still active.

> PS: Just as a side note, mod_fastcgi has exactly the same problem and I
> got even less reaction when posting a patch there:
> http://fastcgi.com/archives/fastcgi-developers/2007-November/004890.html
> http://fastcgi.com/archives/fastcgi-developers/2007-December/004902.html
> Seems like all FastCGI implementations for Apache known to me have no
> interest at all in this issue.

mod_fastcgi is deader than mod_fcgid, and there is very few people 
willing (or able to) to help or contribute to such a module. But I 
believe there is many silent users. Feedbacks of such users could be 
very interesting.


Sponsored by: SourceForge.net Community Choice Awards: VOTE NOW!
Studies have shown that voting for your favorite open source project,
along with a healthy diet, reduces your potential for chronic lameness
and boredom. Vote Now at http://www.sourceforge.net/community/cca08
Mod-fcgid-users mailing list

Reply via email to