Hi! >> And if you don't run your virtual hosts as a spearate user, even with >> suexec there is a very small vulnerability window to grab the >> authentication data. That's why I understand the Apache people for not >> passing the Authorization header by default. > > There is not such a small window because suexec is setuid,
Yes, sorry, I got mixed up with real and effective user ids with setuid (the setuid bit on an executable sets the effective user id, not the real user id to root, therefore /proc/pid/environ is not accessible for non-root users). Nevertheless, very few people actually use suexec. And even if people use suexec, nearly nobody compiles their own Apache binary. > Apache people set that compile flag off by default because suexec is by > far not a "default" feature. There is so many Apache setups out there > running everything with a single user, even some shared hosting providers. Even most of the shared hosting providers I'd guess... >> Or to always pass the Authorization header at module level (which I also >> proposed). > > CGI/FastCGI processes are not designed to parse HTTP headers, we should > not pass them more headers. But if you mean always converting the > Authorization header to its HTTP_ corresponding environment variable, I > think it is safe to do so. Yes, I meant that. Regards, Christian ------------------------------------------------------------------------- Sponsored by: SourceForge.net Community Choice Awards: VOTE NOW! Studies have shown that voting for your favorite open source project, along with a healthy diet, reduces your potential for chronic lameness and boredom. Vote Now at http://www.sourceforge.net/community/cca08 _______________________________________________ Mod-fcgid-users mailing list Mod-fcgid-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/mod-fcgid-users
