Hi,
I compile my server binaries and never rely on pre-compiled versions; I
_never_ imagined using Apache without suexec which IMHO is a complete
nonsense and should be a default behavior. Finally I never imagined
running any virtualhost with the Apache user. That way, running Apache
compiled with SECURITY_HOLE_PASS_AUTHORIZATION is completely safe.
What do you mean by not using the Apache user? I know there are several
MPMs back there that do what mpm_perchild should have done, but they
have (as far as I can tell) some major drawbacks themselves (for
example, at least one has to run the mod_ssl code as root which is
really bad should there be a buffer overflow).
And if you don't run your virtual hosts as a spearate user, even with
suexec there is a very small vulnerability window to grab the
authentication data. That's why I understand the Apache people for not
passing the Authorization header by default.
It is then better to keep the default apache
configuration safe by _not_ opening such security issues and applying
the patch you proposed directly at the module level.
Or to always pass the Authorization header at module level (which I also
proposed).
Regards,
Christian
-
Sponsored by: SourceForge.net Community Choice Awards: VOTE NOW!
Studies have shown that voting for your favorite open source project,
along with a healthy diet, reduces your potential for chronic lameness
and boredom. Vote Now at http://www.sourceforge.net/community/cca08
___
Mod-fcgid-users mailing list
Mod-fcgid-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-fcgid-users