apache 1.2.0 (fwd)

[Rob Hartill <ro...@imdb.com>]

---------- Forwarded message ----------
Date: Tue, 24 Jun 1997 18:34:58 -0400 (EDT)
From: "Curtis Wilbar [STAFF]" <cu...@ici.net>
To: apache-bugs@apache.org
Cc: curtis@ici.net
Subject: apache 1.2.0


This is not a bug report, but what I think will be a very nice enhancement
to Apache 1.2.0.

This modification comes in real handy when running Apache 2.0 with suexec
as the httpd server for Microsoft Front Page extensions.

It allows for the sytx of

Include filename

in a *.conf file.

This allows the httpd.conf file to contain
separate includes for each virtual domain.
Those included files can all have separate owners allowing child web sites
(a MS Front Page feature) to work (otherwise you'd have to follow MS's
security model which is a closed server with every file owned by the httpd
process UID).

It's a failry simple modification.... the majority of the time was spent
looking at how the existing code worked.  

I hope the modification will come in handy to others, and if there is
a list of contributors in the product, I'd mearly like a mention ...

I'd appreciate hearing your input on this feature...

Here is a diff of my mods and the Apache 1.2.0 http_core.c file:

% diff http_core.c http_core.c.orig
1149,1154d1148
< const char *process_include_file (cmd_parms *cmd, void *dummy, char *arg)
< {
<       process_resource_config(cmd->server, arg, cmd->pool, cmd->temp_pool);
<       return NULL;
< }
< 
1189d1182
< { "Include", process_include_file, NULL, RSRC_CONF, TAKE1, "The filename of the include file"},

Re: apache 1.2.0 (fwd)

[Dean Gaudet <dg...@arctic.org>]

Hi Curtis,

Cliff Skolnick and I talked about this exact thing recently (MS Front
Page).  The problem is that the file you allow them to include can include
any command.  "User root" for example, could be problematic.  So this
doesn't increase your security at all. 

The only solution we could come up with was to allow frontpage to write to
some file, which you then process with an anal perl script that filters
exactly the commands it is supposed to use and tacks them into the main
config.  You have to fire that script off with the right uid, but that's a
different problem.

Dean

On Tue, 24 Jun 1997, Rob Hartill wrote:

> 
> ---------- Forwarded message ----------
> Date: Tue, 24 Jun 1997 18:34:58 -0400 (EDT)
> From: "Curtis Wilbar [STAFF]" <cu...@ici.net>
> To: apache-bugs@apache.org
> Cc: curtis@ici.net
> Subject: apache 1.2.0
> 
> 
> This is not a bug report, but what I think will be a very nice enhancement
> to Apache 1.2.0.
> 
> This modification comes in real handy when running Apache 2.0 with suexec
> as the httpd server for Microsoft Front Page extensions.
> 
> It allows for the sytx of
> 
> Include filename
> 
> in a *.conf file.
> 
> This allows the httpd.conf file to contain
> separate includes for each virtual domain.
> Those included files can all have separate owners allowing child web sites
> (a MS Front Page feature) to work (otherwise you'd have to follow MS's
> security model which is a closed server with every file owned by the httpd
> process UID).
> 
> It's a failry simple modification.... the majority of the time was spent
> looking at how the existing code worked.  
> 
> I hope the modification will come in handy to others, and if there is
> a list of contributors in the product, I'd mearly like a mention ...
> 
> I'd appreciate hearing your input on this feature...
> 
> Here is a diff of my mods and the Apache 1.2.0 http_core.c file:
> 
> % diff http_core.c http_core.c.orig
> 1149,1154d1148
> < const char *process_include_file (cmd_parms *cmd, void *dummy, char *arg)
> < {
> <       process_resource_config(cmd->server, arg, cmd->pool, cmd->temp_pool);
> <       return NULL;
> < }
> < 
> 1189d1182
> < { "Include", process_include_file, NULL, RSRC_CONF, TAKE1, "The filename of the include file"},
> 
> 
> 
>