> I compile my server binaries and never rely on pre-compiled versions; I 
> _never_ imagined using Apache without suexec which IMHO is a complete 
> nonsense and should be a default behavior. Finally I never imagined 
> running any virtualhost with the Apache user. That way, running Apache 
> compiled with SECURITY_HOLE_PASS_AUTHORIZATION is completely safe.

What do you mean by not using the Apache user? I know there are several
MPMs back there that do what mpm_perchild should have done, but they
have (as far as I can tell) some major drawbacks themselves (for
example, at least one has to run the mod_ssl code as root which is
really bad should there be a buffer overflow).

And if you don't run your virtual hosts as a spearate user, even with
suexec there is a very small vulnerability window to grab the
authentication data. That's why I understand the Apache people for not
passing the Authorization header by default.

> It is then better to keep the default apache 
> configuration safe by _not_ opening such security issues and applying 
> the patch you proposed directly at the module level.

Or to always pass the Authorization header at module level (which I also


Sponsored by: SourceForge.net Community Choice Awards: VOTE NOW!
Studies have shown that voting for your favorite open source project,
along with a healthy diet, reduces your potential for chronic lameness
and boredom. Vote Now at http://www.sourceforge.net/community/cca08
Mod-fcgid-users mailing list

Reply via email to