Re: Feedback needed: suexec different-owner patch

2016-04-01 Thread monttyle
On 2016-03-30 16:35, Jacob Champion wrote: Sorry, but that is not a good approach. You must assume that a local attacker calls suexec directly and passes arguments of his liking. That is the attack vector that suexec's rather annoying restrictions try to avoid. Checking my own understanding...

Re: Feedback needed: suexec different-owner patch

2016-04-01 Thread monttyle
On 2016-03-30 14:49, Stefan Fritsch wrote: On Saturday 19 March 2016 11:09:40, montt...@heavyspace.ca wrote: Since its been a while since this issue was mentioned, this patch allows Apache to suexec files by a different (but still restricted by UID) owner, to avoid the security issue where

Re: Any one doing it?

2016-04-01 Thread William A Rowe Jr
On Fri, Apr 1, 2016 at 11:49 AM, Yann Ylavic wrote: > On Fri, Apr 1, 2016 at 6:36 PM, Luca Toscano > wrote: > > > > +1, let's concentrate on 2.4 :) > > You know, there is still many 2.2 around, and some people may have > backported 2.4 fixes to 2.2

Re: svn commit: r1737382 - /httpd/httpd/trunk/docs/manual/mod/core.xml

2016-04-01 Thread Luca Toscano
2016-04-01 16:32 GMT+02:00 Eric Covener : > On Fri, Apr 1, 2016 at 10:05 AM, Luca Toscano > wrote: > > Yep I thought what was best too and decided to commit on trunk to gather > > some feedback. The Bug is low severity but as stated in users@ the > >

Re: svn commit: r1737382 - /httpd/httpd/trunk/docs/manual/mod/core.xml

2016-04-01 Thread Eric Covener
On Fri, Apr 1, 2016 at 10:05 AM, Luca Toscano wrote: > Yep I thought what was best too and decided to commit on trunk to gather > some feedback. The Bug is low severity but as stated in users@ the > documentation says X and httpd does the opposite, getting people confused.

Re: svn commit: r1737382 - /httpd/httpd/trunk/docs/manual/mod/core.xml

2016-04-01 Thread Luca Toscano
Hi Eric and Rüdiger, 2016-04-01 15:59 GMT+02:00 Rüdiger Plüm : > > > On 04/01/2016 03:48 PM, Eric Covener wrote: > > I am -0.9 on this info in the manual, for a relatively low severity bug. > > +1. We don't do this kind of stuff in the documentation. This is what > CHANGES and

Re: svn commit: r1737382 - /httpd/httpd/trunk/docs/manual/mod/core.xml

2016-04-01 Thread Rüdiger Plüm
On 04/01/2016 03:48 PM, Eric Covener wrote: > I am -0.9 on this info in the manual, for a relatively low severity bug. +1. We don't do this kind of stuff in the documentation. This is what CHANGES and Bugzilla are for. Regards Rüdiger > > On Fri, Apr 1, 2016 at 9:31 AM,

Re: svn commit: r1737382 - /httpd/httpd/trunk/docs/manual/mod/core.xml

2016-04-01 Thread Eric Covener
I am -0.9 on this info in the manual, for a relatively low severity bug. On Fri, Apr 1, 2016 at 9:31 AM, wrote: > Author: elukey > Date: Fri Apr 1 13:31:28 2016 > New Revision: 1737382 > > URL: http://svn.apache.org/viewvc?rev=1737382=rev > Log: > Added warning for