Hi, > I compile my server binaries and never rely on pre-compiled versions; I > _never_ imagined using Apache without suexec which IMHO is a complete > nonsense and should be a default behavior. Finally I never imagined > running any virtualhost with the Apache user. That way, running Apache > compiled with SECURITY_HOLE_PASS_AUTHORIZATION is completely safe.
What do you mean by not using the Apache user? I know there are several MPMs back there that do what mpm_perchild should have done, but they have (as far as I can tell) some major drawbacks themselves (for example, at least one has to run the mod_ssl code as root which is really bad should there be a buffer overflow). And if you don't run your virtual hosts as a spearate user, even with suexec there is a very small vulnerability window to grab the authentication data. That's why I understand the Apache people for not passing the Authorization header by default. > It is then better to keep the default apache > configuration safe by _not_ opening such security issues and applying > the patch you proposed directly at the module level. Or to always pass the Authorization header at module level (which I also proposed). Regards, Christian ------------------------------------------------------------------------- Sponsored by: SourceForge.net Community Choice Awards: VOTE NOW! Studies have shown that voting for your favorite open source project, along with a healthy diet, reduces your potential for chronic lameness and boredom. Vote Now at http://www.sourceforge.net/community/cca08 _______________________________________________ Mod-fcgid-users mailing list Mod-fcgid-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/mod-fcgid-users
