>> And if you don't run your virtual hosts as a spearate user, even with
>> suexec there is a very small vulnerability window to grab the
>> authentication data. That's why I understand the Apache people for not
>> passing the Authorization header by default.
> There is not such a small window because suexec is setuid,

Yes, sorry, I got mixed up with real and effective user ids with setuid
(the setuid bit on an executable sets the effective user id, not the
real user id to root, therefore /proc/pid/environ is not accessible for
non-root users). Nevertheless, very few people actually use suexec. And
even if people use suexec, nearly nobody compiles their own Apache binary.

> Apache people set that compile flag off by default because suexec is by 
> far not a "default" feature. There is so many Apache setups out there 
> running everything with a single user, even some shared hosting providers.

Even most of the shared hosting providers I'd guess...

>> Or to always pass the Authorization header at module level (which I also
>> proposed).
> CGI/FastCGI processes are not designed to parse HTTP headers, we should 
> not pass them more headers. But if you mean always converting the 
> Authorization header to its HTTP_ corresponding environment variable, I 
> think it is safe to do so.

Yes, I meant that.


Sponsored by: SourceForge.net Community Choice Awards: VOTE NOW!
Studies have shown that voting for your favorite open source project,
along with a healthy diet, reduces your potential for chronic lameness
and boredom. Vote Now at http://www.sourceforge.net/community/cca08
Mod-fcgid-users mailing list

Reply via email to